Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: MS05-019 Breaks VPN

from [Arley Barros Leal] Network Security [Permanent Link]
Subject: Re: MS05-019 Breaks VPN
Date: Tue, 3 May 2005 12:07:26 +0100 
This may sound a little off-topic, but I've found appropriate to remind
about last MS VPN related announcements.

On Windows XP SP2, Microsoft changed the default behavior of IPSec
NAT-Traversal to disable. That means that any Microsoft L2TP/IPSec VPN
Client behind a NAT device will fail to negotiate security (IKE) and
thus establish a VPN tunnel. This can be bypassed by manually editing
the registry:
http://support.microsoft.com/default.aspx?kbid=885407

Since then, Microsoft is also NOT recommending NAT-Traversal on Windows
Server 2003 boxes:
http://support.microsoft.com/kb/885348/

Some NAT-Safe scenarios are:

1) PPTP VPNs, since they do not relies in any kind of integrity protocol
(e.g.: AH/ESP) as IPsec does. 
2) Systems connected directly with public addresses.

Cheers,
Arley Silveira.
MCP+I MCSA MCSE iNET+ CIW-A OCP

-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of Brian S. Bergin
Sent: quinta-feira, 21 de Abril de 2005 4:09
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: MS05-019 Breaks VPN

At 21:11 19-04-05 Tuesday, you wrote:

After installing the update in Microsoft Security Bulletin MS05-019 on 
two servers at a customer site, we are no longer able to connect via 
VPN to terminal services on those servers.  (Other servers that did not



have the security bulletins from last Tuesday installed can connect via



VPN.)

After many hours over two days working with Microsoft Product Support 
Services, we discovered that forcing the MTU size down allowed the 
client to connect to terminal services.  Today Microsoft PSS reported 
the they have confirmed that there is a problem with ICMP messages 
being incorrectly discarded (other have opened PSS cases about this

issue).

This could be why the MTU size is not being set correctly.

There will be an update to the patch in MS05-019, but as of this time, 
that update is not available.  A Microsoft KB article is being written 
and has been assigned the number KB898060, but as to this time, that 
article is not publicly available.

I will be uninstalling the update for Security Bulletin MS05-019 from 
our customers servers this evening and waiting for the corrected patch 
before reinstalling it.


I don't believe this affects all systems.  Our 2000 SP4 PPTP server is
not bothered by the problem described above and today I rebuilt a Win2k
SP4 VPN (MS PPTP) server for a customer when the old system's HD died.
Both boxes are fully patched with all Windows Updates and HFNetChk 4.3
confirms there are no missing patches and PPTP works great for the 15 or
so VPN clients the customer has and they all hit either a 2000 TS or
their own XP Pro SP2 desktops inside their VPN connection.  Our customer
is using a Cisco 3640 with IPFW installed and the router is in NAT mode
behind a T1 and we use a Cisco PIX on a static IP ADSL connection.  Both
Cisco devices are setup to NAT the PPTP traffic to the 2000 SP4 servers.
This poster didn't state if his box was 2000 or 2003, but on 2000 SP4
the problem he describes is not evident on our systems.

Sincerely,
Terabyte Computers, Inc.

Brian S. Bergin
President

http://www.terabyte.net

--
NTBugtraq Editor's Note:

Most viruses these days use spoofed email addresses. As such, using an
Anti-Virus product which automatically notifies the perceived sender of
a message it believes is infected may well cause more harm than good.
Someone who did not actually send you a virus may receive the
notification and scramble their support staff to find an infection which
never existed in the first place. Suggest such notifications be disabled
by whomever is responsible for your AV, or at least that the idea is
considered.
--

--
NTBugtraq Editor's Note:

Most viruses these days use spoofed email addresses. As such, using an 
Anti-Virus product which automatically notifies the perceived sender of a 
message it believes is infected may well cause more harm than good. Someone who 
did not actually send you a virus may receive the notification and scramble 
their support staff to find an infection which never existed in the first 
place. Suggest such notifications be disabled by whomever is responsible for 
your AV, or at least that the idea is considered.
--
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  SQL Server 2000 Service Pack 4, Mitlyng, Matthew J. SGT (MN)
Next by Date:  High risk flaw in HP OpenView Radia Management Agent, NGSSoftware Insight Security Research
Previous by Thread:  Re: MS05-019 Breaks VPN, Darryl J Roberts
Next by Thread:  Raw sockets, MS05-019 and Windows Firewall -- Summary, Robin Keir
Indexes:  [Date] [Thread] [Top] [All Lists]