The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Contivity VPN/Gateway

vulnerability bulletin CVE-2007-2332 CVE-2007-2333 CVE-2007-2334

Nortel VPN Router: 3 vulnerabilities

Synthesis of the vulnerability

Three vulnerabilities affect Nortel VPN Router, the worst one permits a remote access.
Impacted products: Contivity VPN/Gateway, Nortel VPN Router.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, data reading.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 20/04/2007.
Identifiers: 2007007918, BID-23562, CVE-2007-2332, CVE-2007-2333, CVE-2007-2334, VIGILANCE-VUL-6753.

Description of the vulnerability

Three vulnerabilities affect Nortel VPN Router.

Two invisible accounts (FIPSecryptedtest1219 and FIPSunecryptedtest1219) are present in the LDAP template starting from version 3_60. They can be used to establish tunnels (L2TP, IPSEC, PPTP, L2F), and therefore access to internal network. [severity:3/4; CVE-2007-2333]

An attacker can use special uris in order to access to two pages of web administration interface. He can thus alter some parts of configuration. [severity:3/4; CVE-2007-2334]

All routers use the same DES key to encrypt user password, which facilitates a brute force attack. [severity:3/4; CVE-2007-2332]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 6578

Nortel SSL VPN Net Direct Client: privilege elevation

Synthesis of the vulnerability

A local attacker can obtain root privileges via several vulnerabilities of Unix VPN client.
Impacted products: Contivity VPN/Gateway, Nortel VPN Router.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 21/02/2007.
Identifiers: BID-22632, VIGILANCE-VUL-6578.

Description of the vulnerability

When the Unix VPN client initializes a SSL session:
 - a zip archive containing 3 programs (askpass, client and surun) is downloaded
 - it is stored under /tmp with the mode 0777
 - it is extracted in the /tmp/NetClient directory
 - the mode of these 3 programs is changed to read-write for all users
 - the /tmp/NetClient/surun program is run
 - the /tmp/NetClient/askpass program is run
 - the /tmp/NetClient/client program is run as root

This procedure has several errors.

A local attacker can for example inject a Trojan in /tmp/NetClient/client. This vulnerability then permits him to obtain root privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2005-4197

Nortel SSL VPN: configuration change trough HTTP interface

Synthesis of the vulnerability

Some changes can be done when an administration web page is displayed.
Impacted products: Contivity VPN/Gateway, Nortel VPN Router.
Severity: 1/4.
Consequences: administrator access/rights.
Provenance: document.
Creation date: 12/12/2005.
Identifiers: BID-15798, CVE-2005-4197, SA-20051211-0, SEC Consult SA-20051211-0, VIGILANCE-VUL-5422.

Description of the vulnerability

A "Cross-Site Request Forgery" (XSRF) attack uses only one url to generate an action on the web server. When this url is loaded in the web browser, action is done with rights of connected user.

The Nortel SSL VPN HTTP administration server is not protected against "Cross-Site Request Forgery" attacks.

For example, when user opens following url, or if it is automatically loaded by the web browser, the command is run:
  https://server/tunnelform.yaws?a=command
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.