Finding Microsoft VPN/PPTP with runZero
Last month, researcher Alex Nichols at Nettitude reported a vulnerability in Microsoft’s Windows VPN software that could allow for remote code execution or local privilege escalation by an attacker. This vulnerability lies in a use-after-free condition that can occur in the Point-to-Point Tunneling Protocol (PPTP) logic of Microsoft’s VPN software. It has existed for over 10 years and is present in most Windows releases dating back to Windows Server 2008 and Windows 7.
What is the impact? #
Tracked as CVE-2022-21972 with a CVSS “high” score of 8.1, this vulnerability is reportedly only exploitable in Windows Server versions, not Windows Desktop deployments, due to configuration differences (see “Affected Versions”). Successful exploitation requires non-trivial effort, but once achieved, an attacker may attain remote code execution (RPC) or local privilege escalation (LPE) on the target.
Are updates available? #
Microsoft has provided patches for all affected Windows versions in the May 2022 Patch Tuesday update. Admins should update systems, but take note that some folks are experiencing issues with VPN (and other services, including RDP) after applying the June 2022 Patch Tuesday updates.
How do I find vulnerable Windows VPN instances with runZero? #
_asset.protocol:pptp and protocol:pptp and pptp.vendor:microsoft
Get runZero for free
Don’t have runZero and need help finding vulnerable Windows VPN instances?Start your trial today
February 20, 2024
Finding ScreenConnect installations with runZero
On February 19, 2024, ConnectWise disclosed two serious vulnerabilities in their ScreenConnect (formerly Control) remote-access product. The first vulnerability is an authentication bypass vulnerability. Successful exploitation of this vulnerability would allow attackers to …Read More
February 20, 2024
Finding Microsoft Exchange Servers with runZero
As part of its updates released on February 13, 2024, Microsoft has disclosed a vulnerability in Microsoft Exchange that would allow attackers to authenticate to Microsoft Exchange servers using a captured NTLM hash (a so-called “pass-the-hash” vulnerability). …Read More
February 8, 2024
Finding Ivanti Connect Secure and Policy Secure Gateways with runZero
Today, February 8th, 2024, Ivanti disclosed a serious vulnerability in the Ivanti Connect Secure and Ivanti Policy Secure products. The issue, CVE-2024-22024, allows attackers to bypass authentication on the affected device to reach restricted resources. This vulnerability …Read More
Subscribe and stay in the loop!
We won't share your email.
Unsubscribe at any time.