How to remediate – L2TP Network Server Detection

1. Introduction

The L2TP Network Server Detection vulnerability indicates that a VPN service is listening on your network. This means an L2TP tunnel could be established to this system, potentially allowing remote access. Businesses should address this as it can create an unexpected entry point for attackers. Confidentiality, integrity and availability may all be impacted if exploited.

2. Technical Explanation

The report host understands the L2TP tunneling protocol and appears to be a VPN endpoint. This is not necessarily a vulnerability in itself, but it indicates a service that could be targeted by attackers attempting to establish a VPN connection. An attacker could exploit this by establishing an unauthorized VPN tunnel and gaining access to internal network resources.

• Root cause: The L2TP service is running and listening for connections on the network.
• Exploit mechanism: An attacker uses standard L2TP client software to connect to the exposed server, potentially bypassing other security controls.
• Scope: Systems running an L2TP Network Server are affected.

3. Detection and Assessment

To confirm whether a system is vulnerable, first check if the L2TP service is running. A thorough method involves network scanning to identify open ports associated with L2TP.

• Quick checks: Use `netstat -an | findstr 1701` on Windows to see if port 1701 (L2TP UDP) is listening.
• Scanning: Nessus plugin ID 68453 can detect L2TP Network Server exposure as an example.
• Logs and evidence: Check system logs for events related to L2TP connections or service startup.

netstat -an | findstr 1701

4. Solution / Remediation Steps

To fix the issue, disable or remove the unnecessary L2TP Network Server if it is not required. If needed, configure strong authentication and encryption for the service.

4.1 Preparation

• Ensure you have alternative VPN solutions available if removing L2TP. A roll back plan is to restart the L2TP service.
• Change windows may be needed for scheduled downtime, and approval from network administrators might be required.

4.2 Implementation

1. Step 1: Stop the L2TP Network Server service using `net stop “L2TP Network Server”`.
2. Step 2: Disable the service to prevent automatic startup with `sc config “L2TP Network Server” start= disabled`.

4.3 Config or Code Example

Before

sc query "L2TP Network Server"

After

sc config "L2TP Network Server" start= disabled

4.4 Security Practices Relevant to This Vulnerability

Practices that directly address this vulnerability type include least privilege and secure defaults. Least privilege reduces the impact if exploited, while secure defaults prevent unnecessary services from running.

• Practice 1: Apply the principle of least privilege by only enabling necessary network services.
• Practice 2: Use safe defaults to disable unused or unnecessary features like L2TP Network Server.

4.5 Automation (Optional)

# PowerShell example to disable L2TP service on multiple systems
foreach ($computer in @("server1", "server2")) {
  Invoke-Command -ComputerName $computer -ScriptBlock {
    Stop-Service -Name "L2TP Network Server" -Force
    Set-Service -Name "L2TP Network Server" -StartupType Disabled
  }
}

5. Verification / Validation

To confirm the fix worked, check if the L2TP service is stopped and disabled. Re-run the earlier detection to show the issue is gone. Perform a simple service smoke test by verifying other network services are still functioning correctly.

• Post-fix check: Run `sc query “L2TP Network Server”` and confirm it shows ‘STATE : 4 RUNNING’ or ‘SERVICE_DISABLED’.
• Re-test: Re-run `netstat -an | findstr 1701` to ensure port 1701 is no longer listening.
• Smoke test: Verify other network services like DNS and HTTP are still accessible.
• Monitoring: Monitor system logs for unexpected L2TP connection attempts as an example.

sc query "L2TP Network Server"

6. Preventive Measures and Monitoring

Update security baselines to include disabling unnecessary network services like L2TP. Add checks in CI/CD pipelines to prevent the same fault from reoccurring.

• Baselines: Update a security baseline or policy to disable unused network services.
• Pipelines: Add checks in CI or deployment to stop insecure configurations.
• Asset and patch process: Review system configurations regularly for unnecessary services.

7. Risks, Side Effects, and Roll Back

Disabling L2TP may impact users relying on it for remote access. The roll back steps are to restart the service using `net start “L2TP Network Server”`.

• Risk or side effect 1: Users reliant on L2TP will lose connectivity.
• Roll back: Step 1: Start the L2TP Network Server service with `net start “L2TP Network Server”`.

8. References and Resources

• Vendor advisory or bulletin: N/A
• NVD or CVE entry: N/A
• Product or platform documentation relevant to the fix: https://en.wikipedia.org/wiki/L2TP