Snapgear Safe From Microsoft PPTP Vulnerability
SALT LAKE CITY, Utah – October 2nd, 2002 – SnapGear Inc., a leading supplier of Internet security products, announced that their VPN Firewall appliances are free from issues recently discovered in Microsoft(R) Windows(R) PPTP software.
Phion Information Technologies has reported a security vulnerability in the PPTP (Point-to-Point-Tunneling-Protocol) service that ships with Windows 2000 and Windows XP. The problem is that a specially crafted PPTP packet can cause a buffer overflow and overwrite kernel memory. An immediate implication is that affected systems are vulnerable to DoS (Denial of Service) attacks, but it may also be possible to execute code of the attacker’s choice which could lead to a complete system compromise.
Thomas Essebier, SnapGear Inc.’s VP of Software Engineering, said: “Snap Gear devices are not affected by this vulnerability. This problem does not represent a fundamental issue with the PPTP protocol, just the particular implementation in question. The code base for the Snap Gear PPTP server implementation is completely different from that used by Microsoft. We designed and developed our PPTP server based upon PoPToP, an open source solution that we were instrumental in creating. The open source advantage here is that thousands of eyes have already inspected this code for bugs and errors.”
Snap Gear(TM) VPN Firewall appliances are unique in that they offer both PPTP (client & server) and full peer-to-peer IPSec VPN services. Although IPSec is gradually becoming the VPN protocol of choice there is a huge base of PPTP-ready client software found in almost all Microsoft Windows operating systems. Although PPTP is generally considered to be not as secure as IPSec a broad range of business users still embrace the technology because of the absence of client-software costs and convenience of setup.
Implications for Windows 2000 and XP systems
Phion report that Windows 2000 and Windows XP systems running either the PPTP server or client may be at risk (their advisory states that both Windows 2000 and XP clients listen on the PPTP service port – 1723.) Until further information is available, Snap Gear recommends that customers disable both PPTP client and server on Windows 2000 and Windows XP systems exposed to the Internet or any other untrusted network. Systems protected by a Snap Gear firewall blocking port 1723 should not be vulnerable to an outside attack, but it would still be prudent to disable non-appliance PPTP services until a Microsoft patch is available.
Miles Gillham, VP Marketing of SnapGear Inc., said: “Customers using Snap Gear appliances for their infrastructure are completely shielded at both the client and server sides. IT managers in SMB/SMEs like our products because we offer lifetime free firmware upgrades, no inbuilt user limitations, and interoperate with other leading VPN technologies. It’s big iron technology in a small, affordable appliance.”
About PPTP
More information about the PPTP and IPSec protocols are available from Snap Gear VPN Overview (www.snapgear.com/vpn.html).
About Snap Gear, Inc.
SnapGear Inc. produces Snap Gear VPN Firewall Appliances designed to provide Internet security and privacy of communications for small to medium enterprises. Snap Gear also does complete custom engineering and provides turnkey development, design, manufacturing, and fulfillment services for major telecommunications companies and silicon manufacturers. For more information on Snap Gear products please visit www.snapgear.com.
The Snap Gear LITE+ recently won the prestigious 2002 Linux Journal Editor’s Choice Award for Best Server Appliance.
“Snap Gear” is a trademark of SnapGear Inc. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other products, services, companies and publications are trademarks or registered trademarks of their respective owners.