Salt Lake City, UT — (press release excerpt) — SnapGear Inc. announced today that their VPN Firewall appliances are free from issues recently discovered in Microsoft Windows PPTP software.

Phion Information Technologies has reported a security vulnerability in the PPTP (Point-to-Point-Tunneling-Protocol) service that ships with Windows 2000 and Windows XP. The problem is that a specially crafted PPTP packet can cause a buffer overflow and overwrite kernel memory. An immediate implication is that affected systems are vulnerable to DoS (Denial of Service) attacks, but it may also be possible to execute code of the attacker's choice which could lead to a complete system compromise.

Thomas Essebier, VP of Software Engineering at SnapGear, said: “This problem does not represent a fundamental issue with the PPTP protocol, just the particular implementation in question. The code base for the Snap Gear PPTP server implementation is completely different from that used by Microsoft. We designed and developed our PPTP server based upon PoPToP, an open source solution that we were instrumental in creating. The open source advantage here is that thousands of eyes have already inspected this code for bugs and errors.”

SnapGear VPN Firewall appliances are unique in that they offer both PPTP (client and server) and full peer-to-peer IPSec VPN services. Although IPSec is gradually becoming the VPN protocol of choice there is a huge base of PPTP-ready client software found in almost all Microsoft Windows operating systems. Although PPTP is generally considered to be not as secure as IPSec a broad range of business users still embrace the technology because of the absence of client-software costs and convenience of setup.

Implications for Windows 2000 and XP systems

Phion report that Windows 2000 and Windows XP systems running either the PPTP server or client may be at risk (their advisory states that both Windows 2000 and XP clients listen on the PPTP service port – 1723). Until further information is available, SnapGear recommends that customers disable both PPTP client and server on Windows 2000 and Windows XP systems exposed to the Internet or any other untrusted network. Systems protected by a Snap Gear firewall blocking port 1723 should not be vulnerable to an outside attack, but it would still be prudent to disable non-appliance PPTP services until a Microsoft patch is available.

More information about the PPTP and IPSec protocols are available from SnapGear's VPN Overview.

 
This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.