Notified:  June 21, 2004 Updated: November 08, 2004

Status

Affected

Vendor Statement

1 The Contivity VPN Client uses a proprietary hash for transmitting the user name in order to avoid sending the user name in the clear 2 - As always, we recommend safe user name and password practices to safeguard against brute force attacks. For more information on strong password practices refer to Appendix 1 of the Nortel Networks document ortel Networks Baseline Security Standardswhich can be downloaded at Nortel Networks: Secure Networking - Securing the Network Infrastructure For enhanced security, we recommend public key authentication. Even though this issue has been addressed in Contivity VPN Client v 5.01 (the same error message of "Login Failure due to: authentication failure" is displayed for both error entries) sophisticated users could still guess if a request is rejected because of wrong UID or wrong password by observing the IKE aggressive mode exchanges. Overall, this vulnerability is inherent in IKE aggressive mode protocol and cannot be fixed without using another method. Our recommendation is to use digital certificates for authentication, which uses main mode IKE. Customers that implement the V5.01 client in order to avoid the explicitly different message display should also implement client version control to avoid allowing users with previous versions of the client the ability to authenticate. This issue was also addressed in CERT Vulnerability Note VU#886601

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Nortel reports that this issue is resolved in Contivity VPN Client for Windows versions V5.01_030 and later. Users are encouraged to review the information provided by the vendor and upgrade to the fixed version of the software.