As some of you may be aware I'm trying to secure a 2850 for PCI/DSS compliance.

I seem to have cured most of the problems now but have two remaining.

This is the second of the problems and I'm sure it's caused by the 2850!

Firstly I do use PPTP for a VPN connection and the scan is identifying port 1723/tcp as the one with the problem further confirming that its the router that has the problem.

Suffice to say I need VPN so switching it off isn't an option.

I can't find any patches that address the problem (i'm running firmware 3.6.8.2, which I believe is the latest generally available version).

Has anyone experienced this, if so how do I resolve?

Thanks in advance.
Iain

I'm not sure I follow. I think you're saying that you're failing the DSS test because
you have a PPTP service open...and DSS doesn't allow that, so surely the only
solution is to disable PPTP and provide remote access via some other method or IP address?

Hi,

No that's not what is being highlighted and DSS compliance does not discriminate the protocol used in VPN/PPTP.

The official text is "A Buffer overflow vulnerability was discovered in the PoPToP PPTP. The problem occurs due to insufficient sanity checked when referencing user-suppliers input stored in the 'Length' variabled." They are also saying patches exist for popular operating systems.

Unfortunately DrayOS is not one of the operating systems listed with a patch.

Hence why I'm asking if anyone is aware of the vulnerability or is it a false positive which can happen.

Iain

Ok a quick update.

I switched to IPsec and this has gone away!

I think it's a false positive; as you say the product uses DrayOS which is completely
proprietary and doesn't use any of the common Linux libraries.