search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Nortel Networks Contivity VPN Client information leakage vulnerability

Vulnerability Note VU#830214

Original Release Date: 2004-11-08 | Last Revised: 2004-11-08

Overview

The Nortel Networks Contivity VPN Client authentication error message provide additional information that may be useful to an attacker.

Description

The Nortel Networks Contivity VPN Client software provides an encrypted and authenticated VPN connection from a client system to a Nortel Contivity VPN switch or gateway. The method that the software uses for reporting error messages may leak information that would be of use to an attacker. If a valid user name and an invalid password are given, the Contivity VPN Client displays "Login Failure due to: authentication failure". However, if an invalid user name is given, the Contivity VPN Client displays "Login Failed: Please verify the entered login information is correct". As a result, an attacker with the ability to observe the authentication error messages may be able to determine valid usernames on the corresponding server system. This information could further enable brute force or dictionary-based password guessing attacks.

Impact

An attacker with the ability to observe the authentication error messages would be able to determine valid user names in the system.

Solution

Upgrade the affected software

Nortel Networks has published an updated version of the Contivity VPN client software to address this issue. Please see the Systems Affected section of this document for more information.

Vendor Information

830214
 
Expand all

Nortel Networks Affected

Notified:  June 21, 2004 Updated: November 08, 2004

Status

Affected

Vendor Statement

1 The Contivity VPN Client uses a proprietary hash for transmitting

the user name in order to avoid sending the user name in the clear
2 - As always, we recommend safe user name and password practices to
safeguard against brute force attacks.
For more information on strong password practices refer to Appendix 1
of the Nortel Networks document ortel Networks Baseline Security
Standardswhich can be downloaded at Nortel Networks: Secure
Networking - Securing the Network Infrastructure
For enhanced security, we recommend public key authentication.

Even though this issue has been addressed in Contivity VPN Client v
5.01 (the same error message of  "Login Failure due to:
authentication failure" is displayed for both error entries)
sophisticated users could still guess if a request is rejected
because of wrong UID or wrong password by observing the IKE
aggressive mode exchanges. Overall, this vulnerability is inherent in
IKE aggressive mode protocol and cannot be fixed without using
another method.  Our recommendation is to use digital certificates
for authentication, which uses main mode IKE.
Customers that implement the V5.01 client in order to avoid the
explicitly different message display should also implement client
version control to avoid allowing users with previous versions of the
client the ability to authenticate.
This issue was also addressed in CERT Vulnerability Note VU#886601

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Nortel reports that this issue is resolved in Contivity VPN Client for Windows versions V5.01_030 and later. Users are encouraged to review the information provided by the vendor and upgrade to the fixed version of the software.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

http://www.nii.co.in/vuln/contivity.html

Acknowledgements

Thanks to K. K. Mookhey of Network Intelligence India for reporting this vulnerability.

This document was written by Chad R Dougherty based on information provided by Nortel Networks.

Other Information

CVE IDs: None
Severity Metric: 0.65
Date Public: 2004-10-18
Date First Published: 2004-11-08
Date Last Updated: 2004-11-08 16:25 UTC
Document Revision: 11

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis