Microsoft VPN flaw may leave intranets open to attack

By David Legard, IDG News Service

SEPTEMBER 27, 2002

A flaw in Microsoft Corp.'s Point-to-Point Tunneling Protocol (PPTP) used to secure virtual private networks (VPN) leaves corporate intranets open to attack from outside, according to German IT security company Phion Information Technologies GmbH.

In a yesterday, Phion said the Microsoft PPTP Service shipping with Windows 2000 and Windows XP contains a remotely exploitable preauthentication buffer overflow. This enables a specially crafted PPTP packet to overwrite kernel memory, such that a denial-of-service attack can lock up the server.

This has been verified on Windows 2000 SP3 and Windows XP, Phion said in the advisory.

A Microsoft spokesman said today that the company is looking into the potential vulnerability.

"The Microsoft Security Response Center is thoroughly investigating this issue as a top priority," the spokesman said. "At this point in the investigation, we feel strongly that speculating on the issue at length while the investigation is in progress would be irresponsible and counterproductive to our goal of protecting our customers' information. That said, thus far -- based on our preliminary investigation -- Microsoft has not yet been able to demonstrate that this vulnerability can be used to execute arbitrary code.

"Microsoft is moving forward on the investigation with all due speed, and when it is completed we will take the action that best serves Microsoft's customers."

Phion said VPN clients are also vulnerable, since the PPTP service continually listens on an I/O port, making always-on Digital Subscriber Line clients particularly vulnerable, Phion said.

Windows XP clients can be temporarily protected by firewalling the PPTP port in the Internet Connection Firewall, Phion said. The company said it didn't know of a solution for Windows 2000 and Windows XP PPTP servers.

Computerworld's Linda Rosencrance contributed to this report.