The February 2023 security updates for Windows Server address multiple vulnerabilities that affect Microsoft Always On VPN administrators. This latest update addresses multiple critical and important vulnerabilities in the Network Policy Server (NPS), commonly used to perform RADIUS authentication for Always On VPN servers. Specifically, there are several Remote Code Execution (RCE) and Denial of Service (DoS) vulnerabilities with Protected Extensible Authentication Protocol (PEAP). PEAP with user authentication certificates is the authentication protocol of choice for Always On VPN user tunnel authentication.
Vulnerabilities
The following is a list of vulnerabilities in PEAP addressed in the February 2023 security update.
- CVE-2023-21689 – Microsoft PEAP Remote Code Execution Vulnerability (critical)
- CVE-2023-21690 – Microsoft PEAP Remote Code Execution Vulnerability (critical)
- CVE-2023-21691 – Microsoft PEAP Information Disclosure vulnerability (important)
- CVE-2023-21692 – Microsoft PEAP Remote Code Execution Vulnerability (critical)
- CVE-2023-21695 – Microsoft PEAP Remote Code Execution Vulnerability (important)
- CVE-2023-21701 – Microsoft PEAP Denial of Service Vulnerability (important)
Mitigation
Unauthenticated attackers can exploit the RCE vulnerabilities in PEAP on Microsoft Windows NPS servers. However, NPS servers should not be exposed directly to the Internet and would require an attacker to have access to the internal network already. However, administrators are advised to apply this update to their NPS servers as soon as possible. In addition, organizations that deploy the NPS role on enterprise domain controllers should update immediately.
Additional Information
February 2023 Update for Windows Server 2022 (KB5022842)