Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19653
HistoryApr 15, 2008 - 12:00 a.m.

[NEWS] Watchguard Firebox PPTP VPN User Enumeration Vulnerability

2008-04-1500:00:00
vulners.com
69
JSON

The following security advisory is sent to the securiteam mailing list, and can be found at the
SecuriTeam web site: http://www.securiteam.com

    • promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

Watchguard Firebox PPTP VPN User Enumeration Vulnerability

SUMMARY

The <http://www.watchguard.com/products/&gt; Firebox X family of UTM
security appliances delivers "the industry's best combination of strong
security, reliability, and performance all at a compelling price point".
The PPTP VPN service offered by Watchguard Firebox allows valid usernames
to be enumerated.

DETAILS

Vulnerable Systems:

  • Watchguard Firebox software prior to version 10

Immune Systems:

  • Watchguard Firebox software version 10

Technical Background:
The Watchguard Firebox can be configured to allow remote user access
through the use of the PPTP VPN service. When enabled this can normally be
detected remotely through the presence of an open TCP port (1723) and the
device s acceptance of the GRE protocol (IP protocol number 47).

The PPTP VPN service uses MS-CHAPv2 for authentication. This relies on a
challenge/response mechanism in order to successfully authenticate users.
When a remote user attempts to authenticate with the PPTP VPN service, an
MS-CHAPv2 packet should be returned indicating success or failure. Failure
is indicated by the return of a code 4 MS-CHAPv2 packet. This packet will
additionally contain a value in the form E=<error_number> which indicates
the type of error that occurred. A list of common error codes is given
below: -
646 ERROR_RESTRICTED_LOGON_HOURS
647 ERROR_ACCT_DISABLED
648 ERROR_PASSWD_EXPIRED
649 ERROR_NO_DIALIN_PERMISSION
691 ERROR_AUTHENTICATION_FAILURE
709 ERROR_CHANGING_PASSWORD

The vulnerability occurs as a consequence of differences in the error
codes returned in the failure packet which are dependent on whether or not
the username supplied is valid. When a valid username is given with an
incorrect password the following response is returned: -
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x444fc9b9> <accomp>]
rcvd [LCP ConfReq id=0x1 <mru 338> <auth chap MS-v2> <magic 0xfa52b227>
<pcomp> <accomp>]
sent [LCP ConfRej id=0x1 <pcomp>]
rcvd [LCP ConfRej id=0x1 <asyncmap 0x0>]
sent [LCP ConfReq id=0x2 <magic 0x444fc9b9> <accomp>]
rcvd [LCP ConfReq id=0x2 <mru 338> <auth chap MS-v2> <magic 0xfa52b227>
<accomp>]
sent [LCP ConfAck id=0x2 <mru 338> <auth chap MS-v2> <magic 0xfa52b227>
<accomp>]
rcvd [LCP ConfAck id=0x2 <magic 0x444fc9b9> <accomp>]
sent [LCP EchoReq id=0x0 magic=0x444fc9b9]
rcvd [CHAP Challenge id=0x1 <d15340ea7112ac46f240e4f18fe2a278>, name =
"watchguard"]
sent [CHAP Response id=0x1
<73469ca9bed04ea6f0e5d1be49b47a1a0000000000000000f424ac68e12
31f756e1657a2bc25efcd3b7ba78110bcf48201>, name = "valid_username"]
rcvd [LCP EchoRep id=0x0 magic=0xfa52b227]
rcvd [CHAP Failure id=0x1 "E=691 R=1 Try again"]
MS-CHAP authentication failed: E=691 Authentication failure
CHAP authentication failed

However, when an invalid username is supplied, the following response is
received: -
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x9689f323> <accomp>]
rcvd [LCP ConfReq id=0x1 <mru 338> <auth chap MS-v2> <magic 0x245cdcee>
<pcomp> <accomp>]
sent [LCP ConfRej id=0x1 <pcomp>]
rcvd [LCP ConfRej id=0x1 <asyncmap 0x0>]
sent [LCP ConfReq id=0x2 <magic 0x9689f323> <accomp>]
rcvd [LCP ConfReq id=0x2 <mru 338> <auth chap MS-v2> <magic 0x245cdcee>
<accomp>]
sent [LCP ConfAck id=0x2 <mru 338> <auth chap MS-v2> <magic 0x245cdcee>
<accomp>]
rcvd [LCP ConfAck id=0x2 <magic 0x9689f323> <accomp>]
sent [LCP EchoReq id=0x0 magic=0x9689f323]
rcvd [CHAP Challenge id=0x1 <d15340ea7112ac46f240e4f18fe2a278>, name =
"watchguard"]
sent [CHAP Response id=0x1
<73469ca9bed04ea6f0e5d1be49b47a1a0000000000000000f424ac68e12
31f756e1657a2bc25efcd3b7ba78110bcf48201>, name = "invalid_username"]
rcvd [LCP EchoRep id=0x0 magic=0x245cdcee]
rcvd [CHAP Failure id=0x1 "E=649 R=1 Try again"]
MS-CHAP authentication failed: E=649
CHAP authentication failed

As can be seen, the error codes differ according to whether a valid or
invalid username is supplied. A valid username results in an E=691
Authentication Failure error response, whereas an invalid username
results in an E=649 No dialin permission error response. This difference
can be used to discriminate between valid and invalid users. The ability
to determine valid usernames would allow an attacker to conduct password
guessing attacks against the PPTP VPN service much more efficiently as
they would be able to target only those usernames known to be valid. A
compromised account could then be used to access the internal network
normally protected by the PPTP VPN service. Additionally, it is common for
organisations to use standard username formats across systems. Therefore,
usernames determined to be valid may be used to aid an attacker in
penetrating other systems. They may also be useful in conducting social
engineering attacks, as knowledge of valid usernames may allow an attacker
to appear to be more informed than an outsider would be expected to be.

Impact:
The impact of this vulnerability is that password guessing attacks can be
performed much more efficiently by conducting them only against those
usernames known to be valid. Additionally, these usernames may be valid on
other systems and may also aid social engineering attacks.

Cause:
During the MS-CHAPv2 authentication handshake different error codes are
returned depending on whether or not the username supplied is valid.

Interim Workaround:
The vulnerability cannot be used to request valid usernames but only to
determine whether a given username is valid. Consequently, ensuring all
usernames are difficult to guess will provide some protection against this
vulnerability.

Solution:
Watchguard have addressed this issue as of version 10 of their Firebox
software: - <https://www.watchguard.com/archive/softwarecenter.asp&gt;
https://www.watchguard.com/archive/softwarecenter.asp

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1618&gt;
CVE-2008-1618

ADDITIONAL INFORMATION

The information has been provided by Luke Jennings.
The original article can be found at:
<http://www.mwrinfosecurity.com/publications/mwri_watchguard-firebox-pptp-vpn-user-enumeration-advisory_2008-04-04.pdf&gt;
http://www.mwrinfosecurity.com/publications/mwri_watchguard-firebox-pptp-vpn-user-enumeration-advisory_2008-04-04.pdf

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
[email protected]
In order to subscribe to the mailing list, simply forward this email to:
[email protected]

====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages.

Related

cve 1
prion 1
securityvulns 1
cve
cve
CVE-2008-1618
2008-04-07 18:44:00
prion
prion
Authentication flaw
2008-04-07 18:44:00
securityvulns
securityvulns
Watchguard Firebox user enumeration
2008-04-15 00:00:00
JSON
Related for SECURITYVULNS:DOC:19653
cve1prion1securityvulns1