September 26, 2002 4:46 PM PDT
VPN flaw puts internal networks at risk
A security advisory posted by Austrian security firm Phion Information Technologies to Internet mailing lists and the company's Web site said that the vulnerability affects the point-to-point tunneling protocol (PPTP) commonly used in the VPN software bundled in Microsoft's Windows 2000 and XP operating systems for servers and PCs.
Companies often use Microsoft's VPN to let employees log into a corporate network remotely via a encrypted channel. Because of the implied security a VPN is supposed to provide, many companies let users connect directly into an internal network--a practice that could make this flaw a valuable one for Internet attackers, warned Marc Maiffret, chief hacking officer for eEye Digital Security.
"It's a gaping hole through the firewall," he said. "Getting into your Web server is bad, but it's not the end of the world. But getting in through your VPN? There's very little security on the inside of the network."
Companies frequently install most security protections on the perimeter of their network, looking outward for potential Internet threats. Any flaw that could let an attacker into the middle of a network could make a company easy prey.
PPTP is the older of two protocols with which users can securely communicate using the VPN software bundled in Windows. The newer option, Layer 2 tunneling protocol or L2TP, can also be used.
Phion found the flaw when its engineers were trying to integrate one of the company's software products with Microsoft's VPN features, said Klaus Gheri, Phion's chief technology officer.
"We are actually working with Microsoft to resolve this issue," Gheri said. "Microsoft has been sent a sample code that can be used to crash the systems. From this it should be possible for Redmond to locate the point in the PPTP daemon where the buffer overflow occurs."
Gheri stressed that only Microsoft has been sent the sample code, and no details have been disclosed to any other researchers.
Microsoft generally labels the public disclosure of flaws as irresponsible, and even worked to form a group, announced Thursday, that aims to set a standard time period for security researchers to wait before announcing security flaws.
After about six hours of analysis by Microsoft security response center, Christopher Budd, security program manager for the company, said that the flaw could not be used to run code on a system. If so, that would greatly reduce the severity of the vulnerability: Companies would only have to fear a denial-of-service attack on their VPN systems, not a network intruder.
Budd stressed that Microsoft is continuing to work on the problem and will have more definitive answer soon.
"This is top priority," he said. "We are proceeding with all due speed."