search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Nortel Networks Contivity VPN Client information leakage vulnerability

Vulnerability Note VU#830214

Original Release Date: 2004-11-08 | Last Revised: 2004-11-08

Overview

The Nortel Networks Contivity VPN Client authentication error message provide additional information that may be useful to an attacker.

Description

The Nortel Networks Contivity VPN Client software provides an encrypted and authenticated VPN connection from a client system to a Nortel Contivity VPN switch or gateway. The method that the software uses for reporting error messages may leak information that would be of use to an attacker. If a valid user name and an invalid password are given, the Contivity VPN Client displays "Login Failure due to: authentication failure". However, if an invalid user name is given, the Contivity VPN Client displays "Login Failed: Please verify the entered login information is correct". As a result, an attacker with the ability to observe the authentication error messages may be able to determine valid usernames on the corresponding server system. This information could further enable brute force or dictionary-based password guessing attacks.

Impact

An attacker with the ability to observe the authentication error messages would be able to determine valid user names in the system.

Solution

Upgrade the affected software

Nortel Networks has published an updated version of the Contivity VPN client software to address this issue. Please see the Systems Affected section of this document for more information.

Vendor Information

830214
 

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to K. K. Mookhey of Network Intelligence India for reporting this vulnerability.

This document was written by Chad R Dougherty based on information provided by Nortel Networks.

Other Information

CVE IDs: None
Severity Metric: 0.65
Date Public: 2004-10-18
Date First Published: 2004-11-08
Date Last Updated: 2004-11-08 16:25 UTC
Document Revision: 11

Sponsored by CISA.