First published: Mon Apr 07 2008(Updated: )
The PPTP VPN service in Watchguard Firebox before 10, when performing the MS-CHAPv2 authentication handshake, generates different error codes depending on whether the username is valid or invalid, which allows remote attackers to enumerate valid usernames.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Watchguard Firebox Pptp Vpn | =5.0 | |
Watchguard Firebox Pptp Vpn | =4.9 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2008-1618 is classified as a medium severity vulnerability that allows remote attackers to perform username enumeration.
To mitigate CVE-2008-1618, it is recommended to upgrade Watchguard Firebox to the latest version or apply any available patches.
CVE-2008-1618 affects Watchguard Firebox PPTP VPN versions prior to 10, specifically 4.9 and 5.0.
CVE-2008-1618 allows remote attackers to enumerate valid usernames through the MS-CHAPv2 authentication handshake error code responses.
Disabling the PPTP VPN service on affected Watchguard Firebox devices can serve as a temporary workaround for CVE-2008-1618.