Security Advisories | SQL Injection | User Account Enumeration in Nortel Contivity VPN Vulnerability

Vendor: Nortel
Product Affected: Nortel Networks Contivity VPN Client
Type: Remote User Account Enumeration
Severity: Medium
Date released: 20th October 2004

Overview
The Nortel Networks Contivity VPN Client authentication error message provides more information than is necessary.

I. Description
1. If a valid user name and an invalid password is given, the Contivity VPN Client displays "Login Failure due to: authentication failure"
2. If an invalid user name is given, the Contivity VPN Client displays "Login Failed: Please verify the entered login information is correct".

II. Impact
The different error messages could enable a malicious person to guess valid user names in the system.

III. Solution
This issue is resolved in Contivity VPN Client for Windows V5.01_030.

Discussion
The underlying cause for this behavior is the IKE's aggressive mode protocol. Currently, there are two known facts about aggressive mode:
1 - The user names are passed in the clear
2 - User names can be guessed using brute force

Vendor's Response
1 - The Contivity VPN Client uses a proprietary hash for transmitting the user name in order to avoid sending the user name in the clear
2 - As always, we recommend safe user name and password practices to safeguard against brute force attacks.

For more information on strong password practices refer to Appendix 1 of the Nortel Networks document "Nortel Networks Baseline Security Standards" which can be downloaded at Nortel Networks: Secure Networking - Securing the Network Infrastructure

For enhanced security, we recommend public key authentication.
Even though this issue has been addressed in Contivity VPN Client v 5.01 (the same error message of "Login Failure due to: authentication failure" is displayed for both error entries) sophisticated users could still guess if a request is rejected because of wrong UID or wrong password by observing the IKE aggressive mode exchanges. Overall, this vulnerability is inherent in IKE aggressive mode protocol and cannot be fixed without using another method. Our recommendation is to use digital certificates for authentication, which uses main mode IKE.
Customers that implement the V5.01 client in order to avoid the explicitly different message display should also implement client version control to avoid allowing users with previous versions of the client the ability to authenticate.

This issue was also addressed in US-CERT Vulnerability Note VU#886601

Systems Affected
Nortel Networks Contivity VPN Client



Advisory Listing

SQL Injections

Buffer Overflows

Information Disclosure, Path Disclosure

Denial of Service

User Enumeration

Password Disclosure

Network Intelligence (I) Pvt. Ltd. © 2004 | Copyright | Disclaimer
info@niiconsulting.com