lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 10 Nov 2004 13:21:08 +0530
From: "Network Intelligence (I) Pvt. Ltd." <info@....co.in>
To: bugtraq@...urityfocus.com,
   "full-disclosure@...ts.netsys.com" <full-disclosure@...ts.netsys.com>,
   "vulnwatch@...nwatch.org" <vulnwatch@...nwatch.org>
Subject: Nortel Networks Contivity VPN Client information leakage vulnerability


Name: User Account Enumeration in Nortel Contivity VPN
Vendor: Nortel Networks
Products Affected: Nortel Networks Contivity VPN Client
Type: Remote User Account Enumeration
Severity: Medium

I. Overview
The Nortel Networks Contivity VPN Client authentication error message
provides more information than is necessary, thus allowing an attacker 
to discover existing users on the system. This bug was discovered as 
part of a penetration test we carried out on the VPN server of a client.

II. Description
1. If a valid user name and an invalid password is given, the Contivity
VPN Client displays "Login Failure due to: authentication failure"
2. If an invalid user name is given, the Contivity VPN Client displays
"Login Failed: Please verify the entered login information is correct".

III. Impact
The different error messages could enable a malicious person to guess
valid user names on the Contivity VPN/Firewall, and then launch
password-guessing attacks against these accounts.

IV. Solution
This issue is resolved in Contivity VPN Client for Windows V5.01_030

Refer to the CERT VU Note at
http://www.kb.cert.org/vuls/id/830214 and our full advisory at 
http://www.nii.co.in/vuln/contivity.html
for information about vendor response, applying the patches, and other
technical details.

V. About Network Intelligence India
We're a leading provider of information security services and products.
Our AuditPro suite of security assessment software provides
comprehensive, policy-based security audits for Windows 2000, 2003, XP,
Redhat Linux, Sun Solaris, Oracle and MS SQL Servers. For more
information, visit us at http://www.nii.co.in

**** Happy Diwali AND Eid Mubarak! ****

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists