Flaws in three VPN routers, Nortel warns

Nortel has warned of several backdoors and other flaws in its VPN and secure routing products that could allow unauthorized remote access to an enterprise network.

User accounts used for diagnostics on Nortel VPN routers (formerly known as Contivity) could be used to gain access to a corporate VPN. In another potential vulnerability, unauthorized remote users could also gain administrative access to a VPN router through a Web interface. A third vulnerability could result in someone cracking users’ VPN passwords. Nortel says it has issued software that fixes these flaws. Product versions affected include all Nortel VPN router models – 1000, 2000, 3000, 4000 and 5000.

The user account issue, among the three discovered by a German security researcher, involves two user accounts stored in the VPN Router’s default directory. The accounts are used for diagnostics of various VPN tunnels types when the router is used in Federal Information Processing Standards encryption mode, a standard used by government agencies.

“These accounts represent a potential backdoor into the private network from any VPN router,” Nortel says in a bulletin. Web-based management interfaces on VPN routers can also be accessed by unauthorized users by “careful manipulation of the URL” of the router’s Web address. Nortel says this could give limited access to some router configuration settings.

Nortel is also warning that the DES keys it uses to encrypt all user passwords on its VPN routers are identical. “It is possible, providing the attacker was able to gain access to the Lightweight Directory Access Protocol store, to use a brute force attack on the hash of a user password in order to gain network access,” Nortel says.

Nortel adds that upgrading to VPN router software versions 6_05.140, 5_05.304 or 5_05.149 fixes the three issues it is reporting. (The upgrade secures the two diagnostic user accounts, closes the vulnerability in the Web manager and adds 3DES encryption to passwords).

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now