White Hat Institute

L2TP VPN services are affected by the new Windows KB5009543 and KB5009566 patches

Windows L2TP VPN
Retrieved from cnn.com

After applying the latest Windows 10 KB5009543 and Windows 11 KB5009566 comprehensive updates, users and administrators are reporting issues connecting to L2TP VPNs. As part of the January 2022 Patch Tuesday, Microsoft delivered Windows updates to address security bugs and issues. KB5009566 for Windows 11 and KB5009543 for Windows 10 2004, 20H1, and 21H1 are one of the upgrades.

When using the Windows VPN client after applying this week’s upgrades, Windows customers notice that their L2TP VPN connections are disrupted. When customers try to connect to a VPN device, they get an error message that says, “Can’t connect to VPN. The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer,” as illustrated in the diagram below.

The L2TP Connection Attempt Failed 0
Retrieved from cnn.com

The vulnerability does not appear to affect all VPN gadgets and appears to primarily affect users who join using the built-in Windows VPN client. The flaw affects Ubiquiti Site-to-Site VPN connections for customers using the Windows VPN client, according to a security researcher identified as Ronny on Twitter.

The flaw also disrupts connections to SonicWall, Cisco Meraki, and WatchGuard Firewalls, according to several Windows administrators on Reddit, with the latter’s client also being impacted. Since so many people continue to work remotely, administrators have been obliged to uninstall the KB5009566 and KB5009543 upgrades, which correct L2TP VPN connections promptly after a restart.

The following commands from an Elevated Command Prompt can be used to delete the KB5009566 and KB5009543 updates from Windows.

Windows 10: wusa /uninstall /kb:5009543
Windows 11: wusa /uninstall /kb:5009566

Because Microsoft combines all security updates into a singular Windows cumulative update, uninstalling it will also uninstall all remedies for vulnerabilities corrected during the January Patch Tuesday. As a result, Windows administrators must weigh the risks of unpatched vulnerabilities against the inconvenience of being unable to access VPN connections.

The main reason for the flaw is unknown, but Microsoft’s January Patch Tuesday patched a number of vulnerabilities in the Windows Internet Key Exchange (IKE) protocol (CVE-2022–21843, CVE-2022–21890, CVE-2022–21883, CVE-2022–21889, CVE-2022–21848, and CVE-2022–21849) and the Windows Remote Access Connection Manager (CVE-2022–21914 and CVE-2022–21885) that could be causing the issues.

At this moment, there is no known solution or alternative for the L2TP VPN connection challenges.