|
|
|
|
| |
The Nortel Contivity Secure IP Services Gateways provide routing, IPSec and SSL VPN, firewall, bandwidth management, encryption, authentication, and data integrity for secure connectivity across managed IP networks and the Internet.
The Nortel Networks Contivity VPN Client authentication error message provides more information than is necessary, thus allowing an attacker to discover existing users on the system. |
| |
Credit:
The information has been provided by Network Intelligence (I) Pvt. Ltd..
The original article can be found at: http://www.nii.co.in/vuln/contivity.html
|
| |
Vulnerable Systems:
* Contivity VPN Client for Windows versions prior to 5.01_030
Immune Systems:
* Contivity VPN Client for Windows version 5.01_030
When a valid user name and an invalid password is given at login, the Contivity VPN Client displays "Login Failure due to: authentication failure". If an invalid user name is given, the Contivity VPN Client displays "Login Failed: Please verify the entered login information is correct".
The different error messages could enable a malicious person to guess valid user names on the Contivity VPN/Firewall, and then run brute force attacks against these accounts. The underlying cause for this behavior is the IKE's aggressive mode protocol.
|
|
|
|
|
|
|
|
|
|
