All posts tagged patch

Always On VPN Security Updates April 2025

Microsoft has published its monthly security updates. Many updates address Routing and Remote Access Service (RRAS) vulnerabilities commonly used in Always On VPN deployments. In addition, an update addresses a vulnerability in Active Directory Certificate Services (AD CS). Always On VPN user and device authentication often rely on AD CS-issued certificates.

RRAS Updates

The April 2025 Microsoft security updates include the following CVEs for Windows Server RRAS.

Only one of these CVEs (26668) is a Remote Code Execution vulnerability. The others are information disclosure vulnerabilities. None of these vulnerabilities are rated Critical; all are rated Important.

AD CS Update

This month’s security update includes the following CVE for AD CS.

Additional Information

Microsoft April 2025 Security Updates

Leave a comment
by Richard M. Hicks on April 8, 2025  •  Permalink
Posted in routing and remote access service, RRAS, Security, Security Update, Update
Tagged , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 8, 2025

https://directaccess.richardhicks.com/2025/04/08/always-on-vpn-security-updates-april-2025/

Always On VPN October 2023 Security Updates

Once again, it’s time to patch! After several quiet months, there are a few crucial updates Always On VPN administrators will want to get deployed soon. Thankfully, the impact of the security updates related to Always On VPN is low this time, as there is only one Remote Code Execution (RCE) vulnerability, and it’s for a legacy protocol that should be in limited use today.

IKEv2

CVE-2023-36726 addresses a security vulnerability in Windows Internet Key Exchange (IKE) that can lead to privilege escalation. An attacker who successfully exploits this vulnerability can elevate privileges to that of the local SYSTEM.

L2TP

This month’s update discloses several Layer Two Tunneling Protocol (L2TP) vulnerabilities. The following CVEs all address a vulnerability where an attacker can send a specially crafted protocol message to a Windows Routing and Remote Access Service (RRAS) server, which could lead to remote code execution on the server.

Mitigation

The impact of the L2TP security vulnerabilities should be minimal in most organizations. L2TP is a legacy VPN protocol not commonly used for Always On VPN. However, misconfiguration can leave vulnerable RRAS servers exposed. Administrators must ensure that inbound UDP port 1723 is not open from the Internet. In addition, L2TP should be disabled on the RRAS server if not in use. See the article on the May 2023 security updates for details.

Additional Information

October 2023 Security Updates

Leave a comment
by Richard M. Hicks on October 10, 2023  •  Permalink
Posted in Always On VPN, AOVPN, Enterprise, enterprise mobility, Hotfix, IKEv2, Infrastructure, Microsoft, Mobility, Operational Support, Remote Access, routing and remote access service, RRAS, Security, Security Update, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on October 10, 2023

https://directaccess.richardhicks.com/2023/10/10/always-on-vpn-october-2023-security-updates/