With more companies using the Internet as a backbone for building a virtual private network, any security holes in the underlying VPN software can be a major threat to vital services and to the network itself. A new Microsoft Security Bulletin, MS02-063, describes and addresses a flaw in PPTP, the most popular VPN protocol used in Windows networks.

Another recently patched flaw (MS02-064) allows a Trojan horse attack on Windows 2000-based systems, and a third new security bulletin (MS02-062) addresses a number of problems with Microsoft’s Internet Information Server (IIS).

MS02-063: PPTP, the Point-to-Point Tunneling Protocol, is vital to many virtual private network configurations, and the buffer overflow vulnerability can make both clients and servers unusable during an attack. To exploit it, an attacker can send specially malformed control data that won’t be processed correctly. Targeted servers will then lock out users by preventing them from initiating VPN sessions. Targeting clients will cause the client system to crash. Either can be restored by simply restarting the system, but a crashed client system will lose current unsaved data.

MS02-064: A Windows permissions flaw opens Windows 2000 installations to a Trojan horse attack. This is a two-stage vulnerability. The first part, as described in the FAQ portion of the Microsoft Security Bulletin, is due to the loose default permission (Everyone Full Access) set for the system root folder (usually C:\). The second part involves planting malicious code in the root folder and later getting someone to execute the program while the system root folder is set as the “current folder.” This is something that happens fairly rarely, such as during startup or when issuing [Ctrl][Alt][Del] and then starting the Task Manager.

MS02-062: The third recent MS Security Bulletin includes a cumulative patch for the Internet Information Server (IIS Web server) that includes fixes for these four vulnerabilities:

  • The first is an elevated privilege threat, in which an attacker can upload and run arbitrary code with SYSTEM level privileges.
  • The second relates to the way IIS allocates memory to WebDAV requests. A specially crafted request sent to IIS 5.0 or IIS 5.1 may consume so much memory that it triggers a denial of service (DoS) event.
  • The third relates only to IIS 5.0 and may allow an attacker to upload and execute arbitrary code.
  • The fourth is a cross-site scripting threat that will allow malicious HTML code to execute.

PPTP issue—Windows 2000 and Windows XP are affected.

Windows permissions flaw—All varieties of Windows 2000 are affected, but shared workstations are especially vulnerable. This isn’t generally a threat to Windows XP systems. However, since all folders get the same loose permissions in NT4, this is a widely known threat for that OS, which most administrators are already aware of and are coping with.

IIS vulnerabilities—IIS 4.0, IIS 5.0, and IIS 5.1 (both 32- and 64-bit versions) are listed in the Microsoft Bulletin as being susceptible to these new flaws. The Symantec Bulletin describing this vulnerability has a more detailed list of affected platforms including, among others, Cisco Call Manager and Windows XP Home Edition. Some of the threats apply to only one or two versions of IIS, but the bulletin covers a number of threats.

Risk level–highest level is critical
PPTP issue—This vulnerability can result in a DoS attack and is rated critical by Microsoft, in part because PPTP is normally used only for vital business systems. The company states that it is not aware of any way this flaw could result in system compromise beyond the DoS event.

Windows permissions flaw—Microsoft rates this as a moderate threat.

IIS vulnerabilities—Microsoft rates the risk of these IIS flaws as moderate, but Symantec rates the risk as high.

Mitigating factors
PPTP issue—A firewall is no protection for a PPTP-enabled VPN. Port 1723 must be open for the VPN to work, so that is not a mitigating factor.

Windows permissions flaw—No mitigating factors are listed.

IIS vulnerabilities—Microsoft lists various mitigating factors for the different vulnerabilities, most of which boil down to the fact that if the server manager follows good security practices, most of the threats will not be a problem.

PPTP issue—Three patches are available to address the PPTP flaw: one for Windows 2000 and one each for the 32-bit and 64-bit XP installations. Since there may be updates and location changes, you should go to MS02-063 for the links.

Windows permissions flaw—Changing the permissions of the root folder is the best fix. This requires an administrative procedure rather than a patch. You need to reset the default permissions for various folders. An explanation of this, along with a security template, appears in the FAQ section of MS02-064. For a manual fix, Microsoft recommends applying the default permissions that are normally set for XP: Administrators: Full (This Folder, Subfolders, And Files), Creators Owners: Full (Subfolders And Files), System: Full (This Folder, Subfolders, And Files), Everyone: Read And Execute (This Folder Only).

IIS vulnerabilities—Apply patches as described in MS02-062. This bulletin supersedes MS02-018 and MS02-28. Symantec suggests that you “disallow anonymous access to services” and “do not allow unknown or untrusted individuals to upload files onto critical or sensitive systems.” It also offers these recommendations:

  • Block unnecessary external access at the network boundary.
  • Restrict access to trusted hosts and networks where practical.
  • Don’t follow strange links.
  • Remove any sample files and directories.

Final word
One way to get around the PPTP problem is to consider migrating to the L2TP protocol, especially if you are running Windows 2000 VPN servers and Windows 2000 (or later) clients. L2TP has a number of advantages over PPTP, as this article explains.