|
|
|
 |
Vulnerability Note VU#830214Nortel Networks Contivity VPN Client information leakage vulnerabilityOverviewThe Nortel Networks Contivity VPN Client authentication error message provide additional information that may be useful to an attacker.I. DescriptionThe Nortel Networks Contivity VPN Client software provides an encrypted and authenticated VPN connection from a client system to a Nortel Contivity VPN switch or gateway. The method that the software uses for reporting error messages may leak information that would be of use to an attacker. If a valid user name and an invalid password are given, the Contivity VPN Client displays "Login Failure due to: authentication failure". However, if an invalid user name is given, the Contivity VPN Client displays "Login Failed: Please verify the entered login information is correct". As a result, an attacker with the ability to observe the authentication error messages may be able to determine valid usernames on the corresponding server system. This information could further enable brute force or dictionary-based password guessing attacks.II. ImpactAn attacker with the ability to observe the authentication error messages would be able to determine valid user names in the system.III. SolutionUpgrade the affected softwareNortel Networks has published an updated version of the Contivity VPN client software to address this issue. Please see the Systems Affected section of this document for more information.
References
Thanks to K. K. Mookhey of Network Intelligence India for reporting this vulnerability. This document was written by Chad R Dougherty based on information provided by Nortel Networks.
If you have feedback, comments, or additional information about this vulnerability, please send us
email. |
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
Get Adobe Reader