Ingate Firewall Fails to Disconnect PPTP Connections When a User is Disabled
SecurityTracker Alert ID: 1013022|
SecurityTracker URL: http://securitytracker.com/id/1013022
(Links to External Site)
Date: Jan 28 2005
Host/resource access via network|
Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 4.1.3 and prior versions|
A vulnerability was reported in Ingate Firewall. When a user is disabled, the user's PPTP tunnel remains active.|
The vendor reported that if a remote authenticated user has an active PPTP connection to the target firewall and the user is subsequently disabled on the firewall, the active PPTP connection is not disabled.
The vendor credits Neil Watson at Voicegenie with reporting this flaw.
A valid user authorized to use PPTP can continue using a PPTP tunnel after the user has been subsequently disabled.|
No solution was available at the time of this entry. The vendor plans to issue a fix in a future upgrade.|
As a workaround, the vendor indicates that you can turn off the PPTP server and apply the configuration when you want to disable a PPTP user. Then, enable the PPTP server and apply the configuration again.
Vendor URL: www.ingate.com/ (Links to External Site)
Access control error, State error|
Source Message Contents
Subject: Ingate Firewall: Removed PPTP tunnels not deactivated|
-----BEGIN PGP SIGNED MESSAGE-----
Product: Ingate Firewall
Versions: 4.1.3 and earlier
Tracking ID: 1826
Active PPTP tunnels in Ingate Firewall are not deactivated when a
PPTP user is disabled.
If a user has an active PPTP connection to an Ingate Firewall, and
that user is disabled on the Firewall, the active PPTP connection is
not disconnected, but lives on unharmed. Only when the user
disconnects does the block take effect; the next time he tries to
connect, he is not allowed to set up a connection.
If a user is being disabled by the firewall administrator while he has
an active tunnel, that tunnel can live on. He can thus have access to
the resources protected by the firewall for a long time after he was
When you disable a PPTP user, also turn off the PPTP server and apply
the configuration. This will tear down all PPTP connections. Then
enable the PPTP server and apply the configuration again.
Ingate will provide a fix for this problem in a future upgrade. No
release date has been set yet.
Thanks to Neil Watson at Voicegenie who reported this problem.
Further updates on this issue will be sent to our mailing list
Further questions regarding this issue can be directed to
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
-----END PGP SIGNATURE-----