Always On VPN July 2023 Security Updates

Hello, Always On VPN administrators! It’s the second Tuesday of the month, so you know what that means. Yes, it’s Patch Tuesday! This month’s security updates include several fixes for vulnerabilities potentially affecting Microsoft Always On VPN deployments.

RRAS Vulnerabilities

Microsoft’s July 2023 security updates include fixes affecting Windows Servers with the Routing and Remote Access Service (RRAS) role installed. Security vulnerabilities CVE-2023-35365, CVE-2023-35366, and CVE-2023-35367 are all Remote Code Execution (RCE) vulnerabilities with a Critical security rating and a CVSS score of 9.8. These security vulnerabilities in Windows Server RRAS are particularly troublesome due to the nature of the workload. RRAS servers are, by design, exposed to the public Internet. Although there are no known exploits in the wild at this time, this attack requires no special privileges other than network access. Administrators running Windows Server with RRAS installed are encouraged to update as soon as possible.

AD CS Vulnerabilities

Most Always On VPN implementations leverage enterprise PKI certificates for user and device authentication. Administrators commonly deploy Microsoft Active Directory Certificate Services (AD CS) to support this. This month there are two security vulnerabilities in AD CS marked as Important. CVE-2023-35350 and CVE-2023-35351 address RCE vulnerabilities that exploit a race condition on the server. However, AD CS servers are not exposed to untrusted networks. In addition, attackers would require administrative rights on the server to exploit these vulnerabilities.

Network Load Balancing

Finally, of importance to Always On VPN administrators using Windows Network Load Balancing (NLB) to provide load balancing for their RRAS servers, there is a vulnerability in the NLB service. CVE-2023-33163 addresses an RCE vulnerability in NLB identified as Important.

Additional Information

Microsoft July 2023 Security Updates

Windows Server 2022 KB5028171 (Build 20348.1850)

Windows Server 2019 KB5028168 (Build 17763.4645)

Windows Server 2016 KB 5028169 (Build 14393.6085)

Windows 11 22H2 KB8028185 (Build 22621.1992)

Windows 11 21H2 KB5028182 (Build 22000.2176)

Always On VPN RRAS and Stale Connections

Always On VPN Updates for RRAS and IKEv2

Always On VPN administrators may be familiar with an issue that affects Windows Server Routing and Remote Access Service (RRAS) servers, where many stale VPN connections appear in the list of active connections. The issue is most prevalent when using IKEv2, either for the Always On VPN device tunnel or the user tunnel. Typically, this does not cause problems, but some administrators have reported issues related to port exhaustion or failed IKEv2 connections when many stale connections are present. Stale connections happen so frequently that I created a PowerShell script to clean them up on the RRAS server. Restarting the RemoteAccess service or rebooting the server also clears stale connections.

Microsoft Fix

Thankfully, Microsoft has addressed these issues in Windows Server 2019 and Windows Server 2022 this month. An update is now available in the March 2023 security update that resolves this problem.

You can find more information about the updates here.

The update was not made available for Windows Server 2016, however. Organizations are encouraged to upgrade to Windows Server 2019 or later to address this problem.

Additional Information

Always On VPN Updates for RRAS and IKEv2

Always On VPN IKEv2 Load Balancing and NAT

Always On VPN and IKEv2 Fragmentation

NetMotion Mobility Is Now Absolute Secure Access

NetMotion Mobility is a premium enterprise mobility and Zero Trust Network Access (ZTNA) solution that delivers unrivaled capabilities and performance. It includes many features unavailable in any other secure remote access solution. It is software-based, running on Windows Server, and does not require dedicated or proprietary hardware. It also features broad client support, including Windows (Professional and Enterprise), macOS, iOS (iPhone and iPad), and Android phones and tablets.

Absolute Software

Last year NetMotion Software was acquired by Absolute Software, makers of persistent, self-healing security software. Beginning with release 12.70, NetMotion Mobility has been rebranded as Absolute Secure Access. In addition, NetMotion Mobile IQ, a comprehensive visibility and reporting tool that integrates with Mobility is now Absolute Insights for Network.

What’s New in 12.70

Absolute Secure Access v12.70 has been completely rebranded, and the management user interface (UI) has a new look and feel. The UI and endpoint agent also includes new icons. In addition, Absolute Secure Access 12.70 includes the following new features.

  • Formal support for Windows Server 2022
  • Enhanced data warehouse security controls
  • Faster Network Access Control (NAC) checks
  • Improved user and device authentication certificate selection – no more user prompts!
  • Support for iOS 16

Migration Path

Migrating from NetMotion Mobility 12.5x to Absolute Secure Access 12.70 is straightforward. However. Migrating from NetMotion Mobility releases before 12.5x will prove more challenging. Specifically, the 12.5x release introduced some significant architectural changes which prevent in-place upgrades to 12.70. With NetMotion Mobility releases before 12.5x, it is recommended to implement new infrastructure running 12.70 and migrate users to the new infrastructure.

Additional Information

Absolute Enterprise VPN and Zero Trust Network Access (ZTNA)

VIDEO: Introduction to Absolute Secure Access Enterprise VPN and ZTNA

What’s New in Absolute Secure Access 12.70

Absolute Secure Access Purpose-Built Enterprise VPN

Absolute Secure Access Purpose-Built Enterprise VPN Advanced Features In Depth