Check Point is advising all customers not using the latest version of its VPN software to upgrade immediately following the discovery of a security hole that could allow remote system access.

The vulnerability is a boundary error in the ISAKMP protocol when building access tunnels. Specially crafted packets can cause a buffer overflow and hence execution of code.

ISAKMP (Internet Security Association & Key Management Protocol) is an add-on security protocol (currently being considered by the IETF) which makes external network connections safer by requiring a pair of messages to be exchanged before a link is established.

Check Point is keen to point out that customers that do not use remote access or gateway VPNs will not be affected, nor will those that have upgraded to the latest versions (VPN-1/FireWall-1 R55 HFA-03, R54 HFA-410 and NG FP3 HFA-325, or VPN-1 SecuRemote/SecureClient R56). It also claims to know of no organisations that are affected.

However, it is a fair assumption that there will be many customers that haven't upgraded whose VPNs may be virtual but very possibly not private. Updates and more info can be found on Check Point's site here.