Nortel has warned of several backdoors and other flaws in its VPN and secure routing products that could allow unauthorized remote access to an enterprise network.
User accounts used for diagnostics on Nortel VPN routers (formerly known as Contivity) could be used to gain access to a corporate VPN. In another potential vulnerability, unauthorized remote users could also gain administrative access to a VPN router through a Web interface. A third vulnerability could result in someone cracking users’ VPN passwords. Nortel says it has issued software that fixes these flaws. Product versions affected include all Nortel VPN router models – 1000, 2000, 3000, 4000 and 5000.
The user account issue, among the three discovered by a German security researcher, involves two user accounts stored in the VPN Router’s default directory. The accounts are used for diagnostics of various VPN tunnels types when the router is used in Federal Information Processing Standards encryption mode, a standard used by government agencies.
“These accounts represent a potential backdoor into the private network from any VPN router,” Nortel says in a bulletin. Web-based management interfaces on VPN routers can also be accessed by unauthorized users by “careful manipulation of the URL” of the router’s Web address. Nortel says this could give limited access to some router configuration settings.
Nortel is also warning that the DES keys it uses to encrypt all user passwords on its VPN routers are identical. “It is possible, providing the attacker was able to gain access to the Lightweight Directory Access Protocol store, to use a brute force attack on the hash of a user password in order to gain network access,” Nortel says.
Nortel adds that upgrading to VPN router software versions 6_05.140, 5_05.304 or 5_05.149 fixes the three issues it is reporting. (The upgrade secures the two diagnostic user accounts, closes the vulnerability in the Web manager and adds 3DES encryption to passwords).