[ISN] VPN flaw puts internal networks at risk

From: InfoSec News (isnat_private)
Date: Fri Sep 27 2002 - 00:18:25 PDT

  • Next message: InfoSec News: "[ISN] Attack on Feds: It Came From Within"

    Forwarded from: "eric wolbrom, CISSP" <ericat_private>
    
    http://news.com.com/2100-1001-959659.html
    
    By  Robert Lemos
    Staff Writer, CNET News.com
    September 26, 2002, 4:46 PM PT
    
    A suspected vulnerability in Microsoft's popular virtual private
    networking application discovered Thursday could, if confirmed, leave
    corporate intranets open to attack, said security experts.
    
    A security advisory posted by German security firm Phion Information
    Technologies to Internet mailing lists and the company's Web site said
    that the vulnerability affects the point-to-point tunneling protocol
    (PPTP) commonly used in the VPN software bundled in Microsoft's
    Windows 2000 and XP operating systems for servers and PCs.
    
    Companies often use Microsoft's VPN to let employees log into a
    corporate network remotely via a encrypted channel. Because of the
    implied security a VPN is supposed to provide, many companies let
    users connect directly into an internal network--a practice that could
    make this flaw a valuable one for Internet attackers, warned Marc
    Maiffret, chief hacking officer for eEye Digital Security.
    
    "It's a gaping hole through the firewall," he said. "Getting into your
    Web server is bad, but it's not the end of the world. But getting in
    through your VPN? There's very little security on the inside of the
    network."
    
    Companies frequently install most security protections on the
    perimeter of their network, looking outward for potential Internet
    threats. Any flaw that could let an attacker into the middle of a
    network could make a company easy prey.
    
    PPTP is the older of two protocols with which users can securely
    communicate using the VPN software bundled in Windows. The newer
    option, Layer 2 tunneling protocol or L2TP, can also be used.
    
    Microsoft refuted Phion's claim that the company notified the software
    giant of the flaw before making information available to the general
    public. Phion posted information about the vulnerability to several
    security mailing lists around 10 a.m. PDT on Thursday.
    
    After about six hours of analysis by Microsoft security response
    center, Christopher Budd, security program manager for the company,
    said that the flaw could not be used to run code on a system. If so,
    that would greatly reduce the severity of the vulnerability:  
    Companies would only have to fear a denial-of-service attack on their
    VPN systems, not a network intruder.
    
    Budd stressed that Microsoft is continuing to work on the problem and
    will have more definitive answer soon.
    
    "This is top priority," he said. "We are proceeding with all due speed."
    
    
    _______________________________________________________________________
    eric wolbrom, CISSP			Safe Harbor Technologies
    President & CIO				190 Goldens Bridge Ct.
    Voice 914.767.9090 ext. 6000		Katonah, NY 10536
    Fax   914.767.3911				http://www.shtech.net
    _______________________________________________________________________
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Sep 27 2002 - 02:48:36 PDT