The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Nortel VPN Router

computer vulnerability CVE-2009-2631

Cisco, Juniper, Microsoft, Nortel, Stonesoft: vulnerability of SSL VPN

Synthesis of the vulnerability

A weakness in the conception of some Clientless SSL VPN products can be used by an attacker in order to obtain information from other web sites visited by the victim.
Impacted products: Avaya Ethernet Routing Switch, ASA, IVE OS, Juniper SA, ISA, Nortel ESM, Nortel VPN Router, StoneGate Firewall.
Severity: 3/4.
Consequences: client access/rights, data reading, data creation/edition.
Provenance: internet server.
Creation date: 09/12/2009.
Identifiers: 025367-01, 19500, 2009009920, 984744, BID-37152, CVE-2009-2631, KB15799, PSN-2009-11-580, VIGILANCE-VUL-9265, VU#261869.

Description of the vulnerability

Some VPN SSL products setup a SSL proxy where users connect with their web browser. Urls of visited web sites are then rewritten as:
  https://proxy-ssl/origin-site/page.html
So, they seem to be hosted on the https://proxy-ssl/ server.

Web browsers are conceived to partition JavaScript scripts on the domain where they come from. However, when a SSL proxy places different web sites under the same domain, this protection is bypassed, and a malicious JavaScript script can thus access to other web sites.

Some products update the source code of web pages on the fly, in order to replace JavaScript calls. However, an attacker can obfuscate his code so this change cannot be done.

A weakness in the conception of some Clientless SSL VPN products can therefore be used by an attacker in order to obtain information from other web sites visited by the victim.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2009-3563

NTP: denial of service

Synthesis of the vulnerability

A remote attacker can send a specially crafted NTP MODE_PRIVATE query in order to generate a denial of service.
Impacted products: Avaya Ethernet Routing Switch, Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, Tru64 UNIX, HP-UX, AIX, Juniper J-Series, Junos OS, Mandriva Linux, Mandriva NF, Meinberg NTP Server, NetBSD, Nortel ESM, Nortel VPN Router, NLD, OES, NTP.org, OpenSolaris, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SLES, ESX, ESXi.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service.
Provenance: internet client.
Creation date: 09/12/2009.
Identifiers: 025389-01, 1021781, 2009009932, 275590, 6902029, BID-37255, c01961950, c02737553, c03714526, CERTA-2010-AVI-002, CR131466, CVE-2009-3563, DSA-1948-1, FEDORA-2009-13046, FEDORA-2009-13090, FEDORA-2009-13121, FreeBSD-SA-10:02.ntpd, HPSBTU02496, HPSBUX02639, HPSBUX02859, IZ68659, IZ71047, IZ71071, IZ71093, IZ71608, IZ71610, IZ71611, IZ71613, IZ71614, MDVSA-2009:328, NetBSD-SA2010-005, PSN-2009-12-609, RHSA-2009:1648-01, RHSA-2009:1651-01, SOL10905, SSA:2009-343-01, SSRT090245, SSRT100293, SSRT101144, SUSE-SR:2009:020, VIGILANCE-VUL-9259, VMSA-2010-0004, VMSA-2010-0004.1, VMSA-2010-0004.2, VMSA-2010-0004.3, VMSA-2010-0009, VMSA-2010-0009.1.

Description of the vulnerability

The NTP protocol possess multiple modes of operation.

The MODE_PRIVATE mode is used by ntpdc to query the state of ntpd daemon. When ntpd receives an invalid MODE_PRIVATE request, it sends back a MODE_PRIVATE error. However, when ntpd receives a MODE_PRIVATE error, it sends it back to the sender generating a loop.

A remote attacker can therefore send a specially crafted NTP MODE_PRIVATE query in order to generate a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2008-5077

OpenSSL: bypassing signature check

Synthesis of the vulnerability

The OpenSSL client does not correctly validates signatures presented by the server.
Impacted products: Debian, Fedora, FreeBSD, HP-UX, Mandriva Linux, Mandriva NF, Nortel VPN Router, NLD, OES, OpenBSD, OpenSolaris, OpenSSL, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, TurboLinux, ESX.
Severity: 3/4.
Consequences: data flow, disguisement.
Provenance: internet server.
Creation date: 07/01/2009.
Identifiers: 2009009350, 250826, 6786120, BID-33150, c01706219, CERTA-2009-AVI-006, CERTA-2009-AVI-009, CERTA-2010-AVI-268, CVE-2008-5077, DSA-1701-1, FEDORA-2009-0325, FEDORA-2009-0331, FEDORA-2009-0419, FEDORA-2009-0543, FEDORA-2009-0577, FEDORA-2009-0636, FEDORA-2009-1914, FEDORA-2009-2090, FreeBSD-SA-09:02.openssl, HPSBUX02418, MDVSA-2009:001, ocert-2008-016, openSUSE-SU-2011:0845-1, SSA:2009-014-01, SSRT090002, SUSE-SA:2009:006, SUSE-SU-2011:0847-1, TLSA-2009-5, VIGILANCE-VUL-8371, VMSA-2009-0004, VMSA-2009-0004.1, VMSA-2009-0004.2, VMSA-2009-0004.3.

Description of the vulnerability

The EVP interface of OpenSSL provides high level features, independent of used algorithms. The EVP_VerifyInit(), EVP_VerifyUpdate() and EVP_VerifyFinal() functions check signatures.

The EVP_VerifyFinal() function returns:
 - either +1 if the signature is valid
 - either 0 if the signature is invalid
 - either -1 if an unexpected error occurred

However, instead of using:
  if (EVP_VerifyFinal(...) <= 0) error;
the SSL client uses:
  if (!EVP_VerifyFinal(...)) error;
Unexpected errors are thus handled as valid signatures.

This vulnerability impacts the SSL client, when a DSA or ECDSA signature is checked.

An attacker can therefore setup a SSL server with a malicious certification chain. He can also setup a Man-In-The-Middle attack and offer an invalid certification chain. Both attacks are undetected by the OpenSSL client, and the victim can think he is connected to a trusted site.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2007-2332 CVE-2007-2333 CVE-2007-2334

Nortel VPN Router: 3 vulnerabilities

Synthesis of the vulnerability

Three vulnerabilities affect Nortel VPN Router, the worst one permits a remote access.
Impacted products: Contivity VPN/Gateway, Nortel VPN Router.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, data reading.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 20/04/2007.
Identifiers: 2007007918, BID-23562, CVE-2007-2332, CVE-2007-2333, CVE-2007-2334, VIGILANCE-VUL-6753.

Description of the vulnerability

Three vulnerabilities affect Nortel VPN Router.

Two invisible accounts (FIPSecryptedtest1219 and FIPSunecryptedtest1219) are present in the LDAP template starting from version 3_60. They can be used to establish tunnels (L2TP, IPSEC, PPTP, L2F), and therefore access to internal network. [severity:3/4; CVE-2007-2333]

An attacker can use special uris in order to access to two pages of web administration interface. He can thus alter some parts of configuration. [severity:3/4; CVE-2007-2334]

All routers use the same DES key to encrypt user password, which facilitates a brute force attack. [severity:3/4; CVE-2007-2332]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 6578

Nortel SSL VPN Net Direct Client: privilege elevation

Synthesis of the vulnerability

A local attacker can obtain root privileges via several vulnerabilities of Unix VPN client.
Impacted products: Contivity VPN/Gateway, Nortel VPN Router.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 21/02/2007.
Identifiers: BID-22632, VIGILANCE-VUL-6578.

Description of the vulnerability

When the Unix VPN client initializes a SSL session:
 - a zip archive containing 3 programs (askpass, client and surun) is downloaded
 - it is stored under /tmp with the mode 0777
 - it is extracted in the /tmp/NetClient directory
 - the mode of these 3 programs is changed to read-write for all users
 - the /tmp/NetClient/surun program is run
 - the /tmp/NetClient/askpass program is run
 - the /tmp/NetClient/client program is run as root

This procedure has several errors.

A local attacker can for example inject a Trojan in /tmp/NetClient/client. This vulnerability then permits him to obtain root privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2005-4197

Nortel SSL VPN: configuration change trough HTTP interface

Synthesis of the vulnerability

Some changes can be done when an administration web page is displayed.
Impacted products: Contivity VPN/Gateway, Nortel VPN Router.
Severity: 1/4.
Consequences: administrator access/rights.
Provenance: document.
Creation date: 12/12/2005.
Identifiers: BID-15798, CVE-2005-4197, SA-20051211-0, SEC Consult SA-20051211-0, VIGILANCE-VUL-5422.

Description of the vulnerability

A "Cross-Site Request Forgery" (XSRF) attack uses only one url to generate an action on the web server. When this url is loaded in the web browser, action is done with rights of connected user.

The Nortel SSL VPN HTTP administration server is not protected against "Cross-Site Request Forgery" attacks.

For example, when user opens following url, or if it is automatically loaded by the web browser, the command is run:
  https://server/tunnelform.yaws?a=command
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.