Today is the second Tuesday of the month, so Windows Server administrators everywhere know what that means – it’s Update Tuesday! For Always On VPN administrators in particular there are a few security updates that affect Windows Server Routing and Remote Access (RRAS), which is a popular VPN server used to support Always On VPN implementations. While many of these updates address Remote Code Execution vulnerabilities, non are considered critical.
RRAS Updates
This month there are six vulnerabilities disclosed affecting Windows Server RRAS.
CVE-2024-38120 – Windows RRAS Remote Code Execution Vulnerability (Important)
CVE-2024-38121 – Windows RRAS Remote Code Execution Vulnerability (Important)
CVE-2024-38128 – Windows RRAS Remote Code Execution Vulnerability (Important)
CVE-2024-38130 – Windows RRAS Remote Code Execution Vulnerability (Important)
CVE-2024-38154 – Windows RRAS Remote Code Execution Vulnerability (Important)
CVE-2024-38214 – Windows RRAS Remote Code Execution Vulnerability (Important)
Additional Updates
In addition to the updates addressing vulnerabilities in Windows Server RRAS, there are also updates available for the Windows Network Address Translation (NAT), Windows Transport Layer Security (TLS), and Windows IP Routing Management snapin that could potentially impact Always On VPN deployments.
Recommendations
None of the security vulnerabilities disclosed this month are critical. Although the RRAS vulnerabilities are remote code execution, exploitation is unlikely. However, administrators are encouraged to update their systems as soon as possible.