Main Vulnerability Database Vulnerabilities #VU356

Information disclosure in PPTP server - CVE-2016-6398

Published: September 7, 2016

Vulnerability identifier: #VU356

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2016-6398

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor:

Affected software:

Detailed vulnerability description

The disclosed vulnerability allows a remote attacker to get access to potentially sensitive information.

The vulnerability is caused by incorrect handling of PPTP (Point-to-Point Tunneling Protocol) requests. A remote attacker can send specially crafted PPTP request to vulnerable system and obtain 63 bytes of system memory, which was previously used for sending or receiving PPTP packets.

Successful exploitation of this vulnerability may allow a remote attacker to gain access to potentially sensitive information.

How to mitigate CVE-2016-6398

Cybersecurity Help is currently unaware of any official patch, which addresses this vulnerability.

As a temporary solution the vendor has suggested the following workaround:

To work around this vulnerability, administrators can configure a 64-character local name for any virtual private dialup network (VPDN) group that is enabled for PPTP functionality. This will prevent content from being leaked from memory. The local name must be exactly 64 characters in length.

The following example shows a VPDN group that has a local name consisting of 64 hash marks:

vpdn-group 1

accept-dialin

protocol pptp

virtual-template 1

local name ################################################################

Information disclosure in PPTP server - CVE-2016-6398

Detailed vulnerability description

How to mitigate CVE-2016-6398

Sources

Please verify you're human