Check Point hit by VPN vulnerability

Brief: Firms who use one of Check Point's virtual private networking products need to patch now to prevent a possible security problem

Companies who use one of Check Point's virtual private networking applications have been urged to patch their systems after the discovery of a security hole in the products.

The vulnerability could allow a hacker to break into a supposedly secure connection set up through one of Check Point's VPN-1 applications, the company warned last week. In some circumstances, a company's wider network could also be under threat.

Customers who have already upgraded to one of the latest versions of Check Point's VPN-1 range should be safe, but those who haven't should visit the company's Web site to download a fix. Windows, Linux, Solaris, SecurePlatform and IPSO versions are all affected.

"Check Point knows of no organisations that have had systems affected by this issue. However, in order to protect VPN-1 Gateways, Check Point recommends that customers install an update on all enforcement modules," said the company.

The flaw in question concerns ISAKMP (Internet Security Association & Key Management Protocol), the networking protocol that allows the VPN server and client to confirm each other's identity by exchanging a key before the secure connection will be set up.

If a specially engineered packet is received by an unpatched server during the ISAKMP negotiations, then this will cause a buffer overrun that compromises the security of the VPN link.

Click here to download a patch from Check Point's site.