All posts tagged vulnerability

November Microsoft Security Updates and AD CS

As I do each month on Patch Tuesday, I look through the list of published vulnerabilities in search of things that might interest Always On VPN Administrators. Frequently there are updates for things like Routing and Remote Access Service (RRAS) or various VPN protocols. The good news is that the November 2024 security updates include NO such vulnerabilities! However, a vulnerability has been disclosed that affects Active Directory Certificate Services (AD CS) on which Always On VPN often relies on for user and device authentication.

Certificate Templates

AD CS Enterprise certificate authorities are closely integrated with Active Directory and use certificate templates that administrators can publish for users and devices to enroll. These templates control properties of the issued certificates, such as the subject name, usage, key length, enrollment policies, and much more. There are several different template versions available, versions 1 through 4. Version 1 templates are legacy templates that don’t provide many capabilities. Later versions include more features and capabilities.

CVE-2024-49019

The November 2024 Microsoft security updates include CVE-2024-49019, a privilege escalation vulnerability recently discovered in AD CS. Specifically, this vulnerability affects only legacy schema version 1 certificate templates published on a certificate authority (CA) server that include the option to supply the subject name in the certificate request. A typical example of this would be the default Web Server template.

Exploitation

The Web Server template does not include the Client Authentication Enhanced Key Usage (EKU) by default, which is required to authenticate to Active Directory. However, this vulnerability allows an attacker with enrollment privileges on this template to supply additional EKUs in the request and the certificate issued will include those capabilities. This allows a non-privileged attacker to quickly elevate to a domain or enterprise administrator by supplying a known administrator’s User Principal Name (UPN) along with the Client Authentication EKU in the certificate request. As version 1 templates cannot enforce CA manager approval for enrollment, an attacker can easily leverage this vulnerability if permissions allow, leading to complete domain compromise.

Note: This applies to any schema version 1 certificate template published with the subject name supplied in the request, not just the Web Server template.

Complications

Making matters worse, the Web Server template is one of the default certificate templates published automatically when a Windows Server CA is deployed. The best practice is to disable the publishing of any certificate templates by default when a new CA is provisioned. However, it requires additional configuration that is often overlooked. In addition, many administrators use overly broad enrollment permissions for this template, such as Domain Users, Domain Computers, or Authenticated Users, further broadening the attack surface.

Mitigation

Administrators should update their CA servers as soon as possible. If you cannot deploy this update immediately, consider replacing any schema version 1 templates with version 2 templates, which are not vulnerable. Also, as best practice, ensure that any certificate templates that allow the subject name to be supplied in the request also requires CA manager approval or additional authorized signatures for enrollment.

Investigation

Administrators should review enrollment privileges for all published certificate templates to ensure the least privileged access. In addition, administrators should audit all valid certificates issued with schema version 1 certificate templates that allow the subject name to be supplied in the request immediately to look for indicators of compromise. Review issued certificates for unauthorized EKUs or unusual subject names, especially those with a UPN.

Additional Information

Microsoft November 2024 Security Updates

CVE-2024-49019 – AD CS Elevation of Privilege Vulnerability

EKUwu: Not Just Another AD CS ESC – TrustedSec

Leave a comment
by Richard M. Hicks on November 13, 2024  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, ADCS, administration, Always On VPN, AOVPN, authentication, Certificate Authority, Certificate Services, certificates, Enterprise, Microsoft, Operational Support, PKI, public key infrastructure, Security, Security Update, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on November 13, 2024

https://directaccess.richardhicks.com/2024/11/13/november-microsoft-security-updates-and-ad-cs/

DirectAccess and CVE-2024-38063

With the August 2024 Windows security updates, Microsoft released a fix to address a Remote Code Execution vulnerability in the Windows TCP/IP stack (CVE-2024-38063). Critically, this vulnerability affects IPv6 only and does not require authentication or user interaction to exploit. An attacker would only need to send specially crafted IPv6 packets to a Windows host, which could allow them to run arbitrary code on the server. This vulnerability presents some unique challenges for organizations that have deployed DirectAccess.

Exposure

DirectAccess servers are deployed to provide secure remote access and are, necessarily, exposed to the public Internet. Sometimes, this is a direct connection (not recommended) or behind an edge firewall or load balancer. In either case, anyone can establish a TCP connection from the Internet to the DirectAccess server by default. If the DirectAccess server has a global unicast IPv6 address assigned to its external interface, that presents a worst-case scenario for exposure. Administrators should update their DirectAccess servers immediately. There are some other mitigation options, though. See below for more details.

IPv6 Transition

DirectAccess servers are usually reachable on the public Internet via IPv4 only. The lack of direct IPv6 connectivity significantly reduces the attack vector for this vulnerability. However, DirectAccess servers use various IPv6 transition technologies that could present additional risks.

Tunnel Establishment

Clients on the Internet can establish an IPv6 transition tunnel to the DirectAccess server without authentication. Once the tunnel is established, the client will receive a router advertisement (RA) and establish an IPv6 address on link. However, communication over the link requires IPsec. Although an attacker can obtain an IPv6 address, they require authentication to send TCP and UDP traffic inside the tunnel.

ICMP

It’s important to know that ICMP traffic inside the DirectAccess IPv6 transition tunnel is exempt from IPsec policy processing, by default. It is unclear whether the “specially crafted packets” an attacker must send to exploit this vulnerability can be ICMP packets. If that’s the case, this introduces significant risks and increases exposure exponentially. I will update this post if I learn anything more about this specifically.

Mitigation

The best and most obvious way to mitigate this attack is to immediately apply the Microsoft security updates. However, some additional controls can be effective in mitigating this risk.

Authentication

As mentioned, DirectAccess allows IPv6 transition tunnels to be established by default without authentication. However, it is possible to update the DirectAccess configuration to support authentication, as described here.

https://directaccess.richardhicks.com/2016/06/13/directaccess-ip-https-preauthentication/

Note: Updating the DirectAccess configuration can be impactful for remote users. Be sure to test this change in a lab environment before implementing in production.

Load Balancers

If the DirectAccess server is behind a load balancer, it can be configured to require authentication for DirectAccess IPv6 transition tunnels. Below is published guidance for configuring popular load balancers to support this.

F5 BIG-IP

Citrix ADC (formerly NetScaler)

Additional Information

Microsoft Windows TCP/IP Remote Code Execution Vulnerability

DirectAccess IP-HTTPS Preauthentication

DirectAccess IP-HTTPS Preauthentication using F5 BIG-IP

DirectAccess IP-HTTPS Preauthentication using Citrix ADC (formerly NetScaler)

3 Comments
by Richard M. Hicks on August 15, 2024  •  Permalink
Posted in BIG-IP, CVE, DirectAccess, encapsulation, Enterprise, enterprise mobility, Hotfix, IP-HTTPS, IPv6, Load Balancing, local traffic manager, LTM, Microsoft, Mobility, Operational Support, Remote Access, Security, Security Update, SSL, SSL and TLS, TLS, transition technology, Update, Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , ,

Posted by Richard M. Hicks on August 15, 2024

https://directaccess.richardhicks.com/2024/08/15/directaccess-and-cve-2024-38063/

Always On VPN Security Updates August 2024

Today is the second Tuesday of the month, so Windows Server administrators everywhere know what that means – it’s Update Tuesday! For Always On VPN administrators in particular there are a few security updates that affect Windows Server Routing and Remote Access (RRAS), which is a popular VPN server used to support Always On VPN implementations. While many of these updates address Remote Code Execution vulnerabilities, non are considered critical.

RRAS Updates

This month there are six vulnerabilities disclosed affecting Windows Server RRAS.

CVE-2024-38120 – Windows RRAS Remote Code Execution Vulnerability (Important)

CVE-2024-38121 – Windows RRAS Remote Code Execution Vulnerability (Important)

CVE-2024-38128 – Windows RRAS Remote Code Execution Vulnerability (Important)

CVE-2024-38130 – Windows RRAS Remote Code Execution Vulnerability (Important)

CVE-2024-38154 – Windows RRAS Remote Code Execution Vulnerability (Important)

CVE-2024-38214 – Windows RRAS Remote Code Execution Vulnerability (Important)

Additional Updates

In addition to the updates addressing vulnerabilities in Windows Server RRAS, there are also updates available for the Windows Network Address Translation (NAT), Windows Transport Layer Security (TLS), and Windows IP Routing Management snapin that could potentially impact Always On VPN deployments.

Recommendations

None of the security vulnerabilities disclosed this month are critical. Although the RRAS vulnerabilities are remote code execution, exploitation is unlikely. However, administrators are encouraged to update their systems as soon as possible.

Additional Information

Microsoft August 2024 Security Updates

Leave a comment
by Richard M. Hicks on August 13, 2024  •  Permalink
Posted in administration, Always On VPN, AOVPN, CVE, Enterprise, Hotfix, Microsoft, Mobility, Operational Support, Remote Access, routing, routing and remote access service, RRAS, Security, Security Update, SSL, SSL and TLS, TLS, Update, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on August 13, 2024

https://directaccess.richardhicks.com/2024/08/13/always-on-vpn-security-updates-august-2024/

« Older Posts
Newer Posts »