Always On VPN Security Updates October 2024

Microsoft has released the October 2024 security updates, and numerous issues may impact Always On VPN administrators. Although many CVEs affect Always On VPN-related services that are Remote Code Execution (RCE) vulnerabilities, none are critical this cycle.

RRAS Updates

This month, Microsoft has provided 12 updates for the Windows Server Routing and Remote Access Service (RRAS), commonly deployed to support Always On VPN deployments. Most of these CVEs involve overflow vulnerabilities (heap and stack), input validation weaknesses, and buffer over-read and overflow vulnerabilities. All are rated important, and there are no known exploits currently.

CVE-2024-38212

CVE-2024-38261

CVE-2024-38265

CVE-2024-43453

CVE-2024-43549

CVE-2024-43564

CVE-2024-43589

CVE-2024-43592

CVE-2024-43593

CVE-2024-43607

CVE-2024-43608

CVE-2024-43611

Related Updates

In addition to the updates above, Microsoft also released fixes for security vulnerabilities in various related services that are important to Always On VPN administrators.

Windows Network Address Translation (NAT)

The following CVEs address denial of service vulnerabilities in the Network Address Translation (NAT) service.

CVE-2024-43562

CVE-2024-43565

Certificate Services

Always On VPN administrators will also find updates for CVEs affecting various certificate services-related components.

CVE-2024-43545OCSP Denial of Service Vulnerability

CVE-2024-43541Simple Certificate Enrollment Protocol (SCEP) Denial of Service Vulnerability

CVE-2024-43544Simple Certificate Enrollment Protocol (SCEP) Denial of Service Vulnerability

Recommendations

Always On VPN administrators are encouraged to update systems as soon as possible. However, since none of the CVEs is rated Critical, updates can be applied during standard update windows.

Additional Information

Microsoft October 2024 Security Updates

Cloud PKI for Microsoft Intune on RunAs Radio

Recently, I joined my good friend Richard Campbell on his popular RunAs Radio podcast. In this episode, we discussed Microsoft’s new Cloud PKI for Intune service. Cloud PKI for Intune is a PKI-as-a-service solution that allows organizations to issue and manage digital certificates without deploying on-premises infrastructure. Optionally, Cloud PKI for Intune supports integration with an existing on-premises PKI. Cloud PKI for Intune isn’t without a few drawbacks, though. We discuss all the benefits and limitations during this podcast, so be sure to listen!

Additional Information

Cloud PKI for Microsoft Intune on RunAs Radio Episode 943

Overview of Cloud PKI for Microsoft Intune

Cloud PKI for Microsoft Intune and Active Directory

Cloud PKI for Microsoft Intune SCEP URL

Cloud PKI for Microsoft Intune and Certificate Templates

Microsoft Cloud PKI for Intune SCEP URL

Earlier this year, Microsoft announced Cloud PKI for Intune, a cloud service for issuing and managing digital certificates for Intune-managed endpoints. With Cloud PKI for Intune, administrators no longer need to deploy on-premises infrastructure to use certificates for user and device-based authentication for workloads such as Wi-Fi and VPN. Cloud PKI for Intune can be used standalone (cloud native) or integrated with an existing on-premises Active Directory Certificate Services (AD CS) enterprise PKI to extend an existing on-premises certificate services infrastructure.

Provisioning

Cloud PKI for Intune utilizes Simple Certificate Enrollment Protocol (SCEP) to enroll certificates for users and devices. To deploy Intune Cloud PKI certificates, administrators must create and deploy a SCEP Certificate device configuration policy in Intune.

SCEP URL

When creating the SCEP certificate device configuration policy in Intune, administrators are asked to supply the SCEP server URL. Administrators will find this information by opening the Intune management console, navigating to Tenant Administration > Cloud PKI, clicking on the issuing certification authority, and then clicking Properties.

Administrators may notice the URL is unreachable if they try to connect to it using their web browser or PowerShell. Specifically, the FQDN is not shown in the URI; instead, it is represented as the variable {{CloudPKIFQDN}}, as highlighted above.

Policy Configuration

You can safely ignore this as it is not an error or misconfiguration. Simply copy and paste the entire URL into your SCEP certificate device configuration profile as is. Intune in the background will convert this to a fully formed URL with a proper FQDN accessible from the public Internet. This variable is used because it allows Microsoft to use different resources dynamically according to geography and availability.

Additional Information

RFC 8894 – Simple Certificate Enrollment Protocol

Microsoft Cloud PKI for Intune

Microsoft Cloud PKI for Intune and Active Directory

Microsoft Cloud PKI for Intune and Certificate Templates