Nortel VPN Router Unauthorised Remote Access Vulnerabilities
Two default user accounts used for diagnostics (FIPSecryptedtest1219 and FIPSunecryptedtest1219) are stored in the router default LDAP for VPN tunnels on software builds from 3_60. These accounts are not readily visible to the system manager, but could be abused to gain unauthorised remote access. Provided the router is not running in FIPS 140-2 mode this vulnerability may be eliminated by deleting the two users from both the running LDAP and the LDAP template. This cannot however be done if running in FIPS mode as the router requires them to be present for boot diagnostics in this mode. Customers are encouraged by Nortel to upgrade their system to 6_05.140, 5_05.304 or 5_05.149.
The web-based administration interface can be fooled into making certain functions accessible without authorisation by manipulation of the URL. No details have been disclosed yet but it is considered possible for configuration to be changed by this means. No mitigation or fix is currently available but the same upgrades will eliminate the problem.
All Nortel VPN Routers use the same DES key to encrypt user passwords, which, according to Nortel, could facilitate a brute force attack on the router passwords supposing the attacker gained access to the LDAP store. Upgrade to 6_05.140 offers mitigation by providing the option of 3DES encryption, but code versions 5_0 and earlier will not be upgraded to incorporate this. Nortel is apparently working with NIST and CORSEC to offer a version of 7_00, which includes the 3DES enhancement for customers who require FIPS, but in the meantime Nortel recommends the use of strong passwords with a short lifetime. However in view of the speed with which DES can now be broken this would appear to offer little protection except against the most casual of attackers.
- VPN Router Security Issue - Unauthorized Remote Access, Nortel Advisory