[NEWS] Watchguard Firebox PPTP VPN User Enumeration Vulnerability

2008-04-15T00:00:00
ID SECURITYVULNS:DOC:19653
Type securityvulns
Reporter Securityvulns
Modified 2008-04-15T00:00:00

Description

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com - - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source. http://www.securiteam.com/mailinglist.html


Watchguard Firebox PPTP VPN User Enumeration Vulnerability

SUMMARY

The <http://www.watchguard.com/products/> Firebox X family of UTM security appliances delivers "the industry's best combination of strong security, reliability, and performance all at a compelling price point". The PPTP VPN service offered by Watchguard Firebox allows valid usernames to be enumerated.

DETAILS

Vulnerable Systems: * Watchguard Firebox software prior to version 10

Immune Systems: * Watchguard Firebox software version 10

Technical Background: The Watchguard Firebox can be configured to allow remote user access through the use of the PPTP VPN service. When enabled this can normally be detected remotely through the presence of an open TCP port (1723) and the device s acceptance of the GRE protocol (IP protocol number 47).

The PPTP VPN service uses MS-CHAPv2 for authentication. This relies on a challenge/response mechanism in order to successfully authenticate users. When a remote user attempts to authenticate with the PPTP VPN service, an MS-CHAPv2 packet should be returned indicating success or failure. Failure is indicated by the return of a code 4 MS-CHAPv2 packet. This packet will additionally contain a value in the form E=<error_number> which indicates the type of error that occurred. A list of common error codes is given below: - 646 ERROR_RESTRICTED_LOGON_HOURS 647 ERROR_ACCT_DISABLED 648 ERROR_PASSWD_EXPIRED 649 ERROR_NO_DIALIN_PERMISSION 691 ERROR_AUTHENTICATION_FAILURE 709 ERROR_CHANGING_PASSWORD

The vulnerability occurs as a consequence of differences in the error codes returned in the failure packet which are dependent on whether or not the username supplied is valid. When a valid username is given with an incorrect password the following response is returned: - sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x444fc9b9> <accomp>] rcvd [LCP ConfReq id=0x1 <mru 338> <auth chap MS-v2> <magic 0xfa52b227> <pcomp> <accomp>] sent [LCP ConfRej id=0x1 <pcomp>] rcvd [LCP ConfRej id=0x1 <asyncmap 0x0>] sent [LCP ConfReq id=0x2 <magic 0x444fc9b9> <accomp>] rcvd [LCP ConfReq id=0x2 <mru 338> <auth chap MS-v2> <magic 0xfa52b227> <accomp>] sent [LCP ConfAck id=0x2 <mru 338> <auth chap MS-v2> <magic 0xfa52b227> <accomp>] rcvd [LCP ConfAck id=0x2 <magic 0x444fc9b9> <accomp>] sent [LCP EchoReq id=0x0 magic=0x444fc9b9] rcvd [CHAP Challenge id=0x1 <d15340ea7112ac46f240e4f18fe2a278>, name = "watchguard"] sent [CHAP Response id=0x1 <73469ca9bed04ea6f0e5d1be49b47a1a0000000000000000f424ac68e12 31f756e1657a2bc25efcd3b7ba78110bcf48201>, name = "valid_username"] rcvd [LCP EchoRep id=0x0 magic=0xfa52b227] rcvd [CHAP Failure id=0x1 "E=691 R=1 Try again"] MS-CHAP authentication failed: E=691 Authentication failure CHAP authentication failed

However, when an invalid username is supplied, the following response is received: - sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x9689f323> <accomp>] rcvd [LCP ConfReq id=0x1 <mru 338> <auth chap MS-v2> <magic 0x245cdcee> <pcomp> <accomp>] sent [LCP ConfRej id=0x1 <pcomp>] rcvd [LCP ConfRej id=0x1 <asyncmap 0x0>] sent [LCP ConfReq id=0x2 <magic 0x9689f323> <accomp>] rcvd [LCP ConfReq id=0x2 <mru 338> <auth chap MS-v2> <magic 0x245cdcee> <accomp>] sent [LCP ConfAck id=0x2 <mru 338> <auth chap MS-v2> <magic 0x245cdcee> <accomp>] rcvd [LCP ConfAck id=0x2 <magic 0x9689f323> <accomp>] sent [LCP EchoReq id=0x0 magic=0x9689f323] rcvd [CHAP Challenge id=0x1 <d15340ea7112ac46f240e4f18fe2a278>, name = "watchguard"] sent [CHAP Response id=0x1 <73469ca9bed04ea6f0e5d1be49b47a1a0000000000000000f424ac68e12 31f756e1657a2bc25efcd3b7ba78110bcf48201>, name = "invalid_username"] rcvd [LCP EchoRep id=0x0 magic=0x245cdcee] rcvd [CHAP Failure id=0x1 "E=649 R=1 Try again"] MS-CHAP authentication failed: E=649 CHAP authentication failed

As can be seen, the error codes differ according to whether a valid or invalid username is supplied. A valid username results in an E=691 Authentication Failure error response, whereas an invalid username results in an E=649 No dialin permission error response. This difference can be used to discriminate between valid and invalid users. The ability to determine valid usernames would allow an attacker to conduct password guessing attacks against the PPTP VPN service much more efficiently as they would be able to target only those usernames known to be valid. A compromised account could then be used to access the internal network normally protected by the PPTP VPN service. Additionally, it is common for organisations to use standard username formats across systems. Therefore, usernames determined to be valid may be used to aid an attacker in penetrating other systems. They may also be useful in conducting social engineering attacks, as knowledge of valid usernames may allow an attacker to appear to be more informed than an outsider would be expected to be.

Impact: The impact of this vulnerability is that password guessing attacks can be performed much more efficiently by conducting them only against those usernames known to be valid. Additionally, these usernames may be valid on other systems and may also aid social engineering attacks.

Cause: During the MS-CHAPv2 authentication handshake different error codes are returned depending on whether or not the username supplied is valid.

Interim Workaround: The vulnerability cannot be used to request valid usernames but only to determine whether a given username is valid. Consequently, ensuring all usernames are difficult to guess will provide some protection against this vulnerability.

Solution: Watchguard have addressed this issue as of version 10 of their Firebox software: - <https://www.watchguard.com/archive/softwarecenter.asp> https://www.watchguard.com/archive/softwarecenter.asp

CVE Information: <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1618> CVE-2008-1618

ADDITIONAL INFORMATION

The information has been provided by Luke Jennings. The original article can be found at:
<http://www.mwrinfosecurity.com/publications/mwri_watchguard-firebox-pptp-vpn-user-enumeration-advisory_2008-04-04.pdf> http://www.mwrinfosecurity.com/publications/mwri_watchguard-firebox-pptp-vpn-user-enumeration-advisory_2008-04-04.pdf

========================================

This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================

DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.