| Title: | Microsoft PPTP Security Vulnerabilities |
| Date Issued: | August 19, 1998 |
| Last Modified: | August 19, 1998 |
| Code: | I-087 |
| Source: | CIAC |
INFORMATION BULLETIN
I-087: Microsoft PPTP Security Vulnerabilities
August 19, 1998 16:00 GMT
PROBLEM: Microsoft has identified vulnerabilities in the Point-to-Point
Tunneling Protocol (PPTP).
PLATFORM: Microsoft Dialup Networking 1.2x and earlier on Windows 95.
Microsoft Remote Access Services on Windows NT 4.0.
Microsoft Routing and Remote Access Services on Windows NT
Server 4.0.
Microsoft Windows 98 Dialup Networking.
DAMAGE: Dictionary attack against the LAN Manager authentication
information.
Password theft.
PPTP server spoofing.
Reuse of MPPE session keys.
SOLUTION: Apply available patches.
VULNERABILITY Risk is high. Exploiation of these vulnerabilities could allow
ASSESSMENT: the capture of passwords or viewing the contents of encrypted
sessions.
[ Start Microsoft Corp. Advisory ]
Microsoft Security Bulletin (MS98-012)
------------------------------------------------------------------------------
Updates available for Security Vulnerabilities in Microsoft PPTP
Originally Posted: August 18, 1998
Last Revised: August 18, 1998
Summary
Microsoft has released a set of patches that fix several security issues with
implementations of the Point-to-Point Tunneling Protocol (PPTP) used in
Microsoft Virtual Private Networking (VPN) products. Customers using affected
software listed below to secure communications over a public network (i.e. the
Internet) should download and apply these patches as soon as possible.
Customers who are not using PPTP for network security are not affected by this
issue.
Issue
The Microsoft implementation of PPTP uses MS-CHAP for user authentication and
Microsoft Point-to-Point Encryption (MPPE) to protect the confidentiality of
user data. Potential vulnerabilities addressed by these updates include:
Dictionary attack against the LAN Manager authentication information
Password theft
PPTP server spoofing
Reuse of MPPE session keys
While there have not been any reports of customers being adversely affected by
these problems, Microsoft is releasing these patches to address the implied
risks posed by these issues.
Affected Software Versions
The following software is affected by this vulnerability:
Microsoft Dialup Networking 1.2x and earlier on Windows 95
Microsoft Remote Access Services on Windows NT 4.0 (both client and server)
Microsoft Routing and Remote Access Services on Windows NT Server 4.0
Microsoft Windows 98 Dialup Networking
What Microsoft is Doing
On August 18th Microsoft released a set of patches that fix the problems
identified. These patches are available for download by Windows NT, Windows 95
and Windows 98 customers from the Microsoft FTP site.
Microsoft has sent this security bulletin to customers subscribing to the
Microsoft Product Security Notification Service (see
http://www.microsoft.com/security/bulletin.htm for more information about this
free customer service).
Microsoft has published the following Knowledge Base (KB) articles on this
issue:
Microsoft Knowledge Base (KB) article Q154091, Windows 95 Dial-Up Networking
1.3 Upgrade Release Notes
http://support.microsoft.com/support/kb/articles/q154/0/91.asp
Microsoft Knowledge Base (KB) article Q189594, RRAS Hotfix 3.0
http://support.microsoft.com/support/kb/articles/q189/5/94.asp
Microsoft Knowledge Base (KB) article Q189595, Windows NT 4.0 PPTP Security
Update http://support.microsoft.com/support/kb/articles/q189/5/95.asp
Microsoft Knowledge Base (KB) article Q189771, Windows 98 PPTP Security Update
http://support.microsoft.com/support/kb/articles/q189/7/71.asp
What customers should do
Microsoft highly recommends that users of affected software versions, listed
in the "Affected Software Versions" section above, should download the
appropriate patch. Complete URLs for each affected software version is given
below.
Windows NT 4.0 RAS Users
Download the patch from:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-
postSP3/pptp3-fix/
Windows NT 4.0 RRAS Users
Download the patch from:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-
postSP3/rras30-fix/
Windows 95 Users
Download the patch from:
ftp://ftp.microsoft.com/softlib/mslfiles/msdun13.exe
Windows 98 Users
Download the patch from:
ftp://ftp.microsoft.com/softlib/mslfiles/dun40.exe
Strong Encryption Versions (128-bit)
Customers in the United States and Canada can download the strong encryption
versions of these updates from:
http://mssecure.www.conxion.com/cgi-bin/ntitar.pl
More Information
Please see the following references for more information related to this
issue.
Microsoft Security Bulletin MS98-012, Updates available for Security
Vulnerabilities in Microsoft PPTP, (the Web posted version of this bulletin),
http://www.microsoft.com/security/bulletins/ms98-012.htm
Microsoft Knowledge Base (KB) article Q154091, Windows 95 Dial-Up Networking
1.3 Upgrade Release Notes
http://support.microsoft.com/support/kb/articles/q154/0/91.asp
Microsoft Knowledge Base (KB) article Q189594, RRAS Hotfix 3.0
http://support.microsoft.com/support/kb/articles/q189/5/94.asp
Microsoft Knowledge Base (KB) article Q189595, Windows NT 4.0 PPTP Security
Update http://support.microsoft.com/support/kb/articles/q189/5/95.asp
Microsoft Knowledge Base (KB) article Q189771, Windows 98 PPTP Security Update
http://support.microsoft.com/support/kb/articles/q189/7/71.asp
Revisions
August 18, 1998: Bulletin Created
For additional security-related information about Microsoft products, please
visit http://www.microsoft.com/security
------------------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY
OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION
MAY NOT APPLY.
[ End Microsoft Corp. Advisory ]
CIAC wishes to acknowledge the contributions of Microsoft Corp. for the information contained in this bulletin.
For additional information or assistance, please contact CIAC:
Voice: +1 925-422-8193 (8:00 - 18:00 PST, 16:00 - 2:00 GMT)
Emergency (DOE, DOE Contractors, and NIH ONLY):
1-800-759-7243, 8550070 (primary),
8550074 (secondary)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov
World Wide Web: http://www.ciac.org/
http://ciac.llnl.gov
(same machine -- either one will work)
Anonymous FTP: ftp.ciac.org
ciac.llnl.gov
(same machine -- either one will work)
Modem access: +1 (925) 423-4753 (28.8K baud)
+1 (925) 423-3331 (28.8K baud)
This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United
States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or
assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or
process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific
commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or
imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the
University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Disclaimer]