All posts tagged hotfix

Always On VPN April 2024 Security Updates

Microsoft has released its security updates for April 2024. This month, a few vulnerabilities are potentially impacting Always On VPN administrators. Specifically, three updates address issues with the Windows Server Routing and Remote Access Service (RRAS). In addition, vulnerabilities affect the Remote Access Connection Manager (RasMan) service, affecting both VPN servers and clients.

RRAS

Windows Server Routing and Remote Access (RRAS) has three security updates available this month. All three are Remote Code Execution (RCE) vulnerabilities but require user interaction to exploit the vulnerability. All three updates are rated as Important.

CVE-2024-26179

CVE-2024-26200

CVE-2024-26205

RasMan

In addition to the vulnerabilities in RRAS, Microsoft announced numerous updates for vulnerabilities discovered in the Remote Access Connection Manager (RasMan) service. These vulnerabilities are related to information disclosure via buffer overruns. These updates affect both Windows RRAS servers and Windows Always On VPN clients. All updates are rated as Important.

CVE-2024-26207

CVE-2024-26211

CVE-2024-26217

CVE-2024-26255

CVE-2024-28900

CVE-2024-28901

CVE-2024-28902

Recommendations

While none of these vulnerabilities are critical, Always On VPN administrators are urged to update their affected systems soon.

Additional Information

April 2024 Security Updates

Leave a comment
by Richard M. Hicks on April 9, 2024  •  Permalink
Posted in Always On VPN, AOVPN, CVE, Enterprise, enterprise mobility, Hotfix, Infrastructure, Microsoft, Mobility, Operational Support, Remote Access, routing and remote access service, RRAS, Security, Security Update, Update, VPN, Vulnerability, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , ,

Posted by Richard M. Hicks on April 9, 2024

https://directaccess.richardhicks.com/2024/04/09/always-on-vpn-april-2024-security-updates/

Always On VPN April 2023 Security Updates

Heads up, Always On VPN administrators! This month’s patch Tuesday includes fixes for critical security vulnerabilities affecting Windows Server Routing and Remote Access Service (RRAS). Crucially there are remote code execution (RCE) vulnerabilities in the Point-to-Point Tunneling Protocol (PPTP) (CVE-2023-28232), the Layer Two Tunneling Protocol (L2TP) (CVE-2023-28219, CVE-2023-28220), the Point-to-Point over Ethernet (PPPoE) protocol (CVE-2023-28224), and the Internet Key Exchange (IKE) protocol (CVE-2023-28238). The vulnerabilities in PPTP and L2TP are especially urgent as they allow an unauthenticated attacker to exploit them. There is also a denial-of-service (DoS) vulnerability (CVE-2023-28234) in the Secure Socket Tunneling Protocol (SSTP) protocol.

Exposure and Risk

The RCEs in PPTP, L2TP, and PPPoE should present limited risk as these protocols aren’t commonly used for Always On VPN (PPPoE and PPTP aren’t supported for Always On VPN, in fact). However, organizations may be using these protocols for other purposes. In addition, improperly configured edge firewalls could allow these connections even though administrators may not be actively using them. An attacker could also exploit these vulnerabilities with access to the RRAS server from the internal network.

Attack Surface Reduction

Always On VPN administrators are advised to ensure that only protocols and ports for VPN protocols in use are allowed through the edge firewall. Also, administrators should disable any unused protocols and services in RRAS to reduce the attack surface on their RRAS servers. To do this, open an elevated PowerShell command window on the RRAS server and run the following commands to disable support for the PPTP, L2TP, and PPPoE protocols.

netsh.exe ras set wanports device = “WAN Miniport (L2TP)” rasinonly = disabled ddinout = disabled ddoutonly = disabled maxports = 0

netsh.exe ras set wanports device = “WAN Miniport (PPTP)” rasinonly = disabled ddinout = disabled ddoutonly = disabled maxports = 1

netsh.exe ras set wanports device = “WAN Miniport (PPPOE)” ddoutonly = disabled

Restart-Service RemoteAccess -PassThru

Additional Vulnerabilities

This month’s update also includes fixes for other vulnerabilities that may impact Always On VPN deployments. Specifically, there are RCEs in Windows Network Address Translation (NAT) (CVE-2023-28217) and Windows Network Load Balancing (NLB) (CVE-2023-28240), and a DoS vulnerability in Windows Transport Layer Security (TLS) (CVE-2023-28234).

Update Now

Administrators should patch their RRAS servers as soon as possible to avoid potential compromise of the RRAS server in their environments.

Additional Information

Always On VPN SSTP Security Configuration

Leave a comment
by Richard M. Hicks on April 12, 2023  •  Permalink
Posted in administration, Always On VPN, AOVPN, authentication, Enterprise, enterprise mobility, Hotfix, Infrastructure, Microsoft, Mobility, Operational Support, PowerShell, Remote Access, routing and remote access service, RRAS, Secure Socket Tunneling Protocol, SSL, SSL and TLS, SSTP, TLS, Update, VPN, Vulnerability, Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 12, 2023

https://directaccess.richardhicks.com/2023/04/12/always-on-vpn-april-2023-security-updates/

Always On VPN RRAS and Stale Connections

Always On VPN Updates for RRAS and IKEv2

Always On VPN administrators may be familiar with an issue that affects Windows Server Routing and Remote Access Service (RRAS) servers, where many stale VPN connections appear in the list of active connections. The issue is most prevalent when using IKEv2, either for the Always On VPN device tunnel or the user tunnel. Typically, this does not cause problems, but some administrators have reported issues related to port exhaustion or failed IKEv2 connections when many stale connections are present. Stale connections happen so frequently that I created a PowerShell script to clean them up on the RRAS server. Restarting the RemoteAccess service or rebooting the server also clears stale connections.

Microsoft Fix

Thankfully, Microsoft has addressed these issues in Windows Server 2019 and Windows Server 2022 this month. An update is now available in the March 2023 security update that resolves this problem.

You can find more information about the updates here.

The update was not made available for Windows Server 2016, however. Organizations are encouraged to upgrade to Windows Server 2019 or later to address this problem.

Additional Information

Always On VPN Updates for RRAS and IKEv2

Always On VPN IKEv2 Load Balancing and NAT

Always On VPN and IKEv2 Fragmentation

Leave a comment
by Richard M. Hicks on March 14, 2023  •  Permalink
Posted in Always On VPN, device tunnel, Enterprise, enterprise mobility, GitHub, Hotfix, IKEv2, Infrastructure, Microsoft, Mobility, Operational Support, PowerShell, Remote Access, routing and remote access service, RRAS, troubleshooting, Update, user tunnel, VPN, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 14, 2023

https://directaccess.richardhicks.com/2023/03/14/always-on-vpn-rras-and-stale-connections/

« Older Posts