News: VPN flaw exposes internal networks

ZDNet: Reviews | Downloads | Tech Update | Prices

Networking

VPN flaw exposes internal networks

By Robert Lemos
Special to ZDNet
September 27, 2002, 4:20 AM PT

A suspected vulnerability in Microsoft's popular virtual private networking application discovered Thursday could, if confirmed, leave corporate intranets open to attack, said security experts.

A security advisory posted by German security firm Phion Information Technologies to Internet mailing lists and the company's Web site said that the vulnerability affects the point-to-point tunneling protocol (PPTP) commonly used in the VPN software bundled in Microsoft's Windows 2000 and XP operating systems for servers and PCs.

Companies often use Microsoft's VPN to let employees log into a corporate network remotely via a encrypted channel. Because of the implied security a VPN is supposed to provide, many companies let users connect directly into an internal network--a practice that could make this flaw a valuable one for Internet attackers, warned Marc Maiffret, chief hacking officer for eEye Digital Security.

"It's a gaping hole through the firewall," he said. "Getting into your Web server is bad, but it's not the end of the world. But getting in through your VPN? There's very little security on the inside of the network."

Companies frequently install most security protections on the perimeter of their network, looking outward for potential Internet threats. Any flaw that could let an attacker into the middle of a network could make a company easy prey.

PPTP is the older of two protocols with which users can securely communicate using the VPN software bundled in Windows. The newer option, Layer 2 tunneling protocol or L2TP, can also be used.

Microsoft refuted Phion's claim that the company notified the software giant of the flaw before making information available to the general public. Phion posted information about the vulnerability to several security mailing lists around 10 a.m. PDT on Thursday.

After about six hours of analysis by Microsoft security response center, Christopher Budd, security program manager for the company, said that the flaw could not be used to run code on a system. If so, that would greatly reduce the severity of the vulnerability: Companies would only have to fear a denial-of-service attack on their VPN systems, not a network intruder.

Budd stressed that Microsoft is continuing to work on the problem and will have more definitive answer soon.

"This is top priority," he said. "We are proceeding with all due speed."

Also on ZDNet


	Find the tech gear you need in CNET's Back to School guide.
	Get ahead of the competition with the BizTech Library.
	Improve your PC's performance with the Memory Configurator.
	Don't miss up-to-the-minute IT commentary on TechRepublic's blog.
	Laid off? Find a new IT job today in our Career Center.

TalkBack: Post your comment here

       I don't care  Ron Dupert

       Re: I don't care  ph 3W7

       (NT) You rule, Ron. :p  Hellfire�

       Re: I don't care  Manoel Pinho

       Re: I don't care  Yoda *.

       (NT) I love you, Yoda! [EOM]  Saiyan Vejita

       Re: I don't care  Bob Marlin

       (NT) LOL  Scott Miller

       Fraudulent News Story Title  Alta Plaza

       Re: VPN flaw opens internal networks  Hellfire�

       Re: VPN flaw opens internal networks  Tech Head

       If?  noine none

       Re: VPN flaw opens internal networks  Kevin Ray

       PPTP Popular?  Penguins^ ^Abound

       Morning Newspaper,Coffee, MS Flaw..  Just A Opinion

       Re: Morning Newspaper,Coffee, MS Flaw..  Mandrake Beersmogg

       Morning Newspaper,Coffee, Linux Security Advisory  Alexander S

       (NT) None of these are OS vulnerabilities...  Dan Scherf

       (NT) Slapper worm did not care.  Alexander S

       You mean you didn't care.  Hellfire�

       You mean you don't read carefully.  Alexander S

       OH!  Hellfire�

       Re: You mean you don't read carefully.  Penguins^ ^Abound

       VPN client as part of OS  Alexander S

       Re: VPN client as part of OS  Layne Shipley

       Re: Morning Newspaper,Coffee, Linux Security Advis  Just A Opinion

       What else would you expect  Johnny Davis

       Re: VPN flaw opens internal networks  Stewart Cannon

       Please enlighten me  Dan Madoni

       Re: Please enlighten me  Ron Dupert

       (NT) You looking to get sued by Cox for plagiarism? :)  Dan Madoni

       Question not specifcally directed to Stewart  Dan Madoni

       Re: VPN flaw opens internal networks  Penguins^ ^Abound

       Security is just a fad  Ron Dupert

       (NT) ROTFLMAO, Don your sarcasm ROCKS!  Jim O'Flaherty

       (NT) Stewart = NBMer, right?!  Jim O'Flaherty

       As I keep saying.....this is getting silly  david stone

Search

Tech Update
	Securing cyberspace: The national plan InfiniBand--old before its time? Take steps to minimize laptop loss More networking analysis...

News in Brief
	Xerox makes management changes 12:03PM Corel CFO departs; new COO named 10:50AM KB Toys, Sears.com expand deal 09:07AM Bertelsmann out to protect Napster spoils 08:08AM Liquid Audio awaits vote results 07:29AM More...

Commentary

RASH
Read Tech Update's expert on security and networking More...

More Commentary...

ZDNet Tech Update
Featured Resource Centers

Sybase:
Request for more info, Whitepapers and more.

Gateway:
Hardware, Products and more.

News Tools
	News Archives News in Brief News for your PDA Contact Us Corrections


			Services: Cybersecurity Report \| Hosting Providers \| IT Resources \| CNET Back to School Guide \| Tech Jobs

About CNET Networks

About Us \| Feedback \| Your Privacy \| Service Terms \| Advertise \| ZDNet Jobs
Copyright © 2002 CNET Networks, Inc. All rights reserved. ZDNet is a registered service mark of CNET Networks, Inc. ZDNet Logo is service mark of CNET Networks, Inc.