Risk: Low
NTA Monitor has discovered a username enumeration vulnerability in Symantec's Enterprise Firewall. When Symantec's Enterprise Firewall is configured for remote access (client-to-gateway) VPN using pre-shared key (PSK) authentication, it responds differently to valid and invalid usernames. An attacker can exploit this difference to determine if a given user exists. It is also possible to use this vulnerability to enumerate valid users on the system, either by brute-force or by trying likely usernames.
Interestingly, username enumeration is not a new issue - it was first mentioned in 1979 in the Morris Password Security paper: "It is poor design to write the login command in such a way that it tells an interloper when he has typed in an invalid user name. The response to an invalid name should be identical to that for a valid name."
Roy Hills, Technical Director at NTA Monitor, found the flaw and says: "There are two particularly interesting points to bear in mind when discussing this flaw - firstly, this type of flaw has been known about for almost 30 years and secondly, Symantec is not the only vendor to suffer from this problem. NTA has found username enumeration vulnerabilities in Cisco and Checkpoint products, to name just two. It's surprising to find that vendors don't seem to have recognised that these flaws are pretty commonplace and it doesn't seem that many vendors have taken proactive steps to eliminate the flaw."
Symantec has issued an advisory and workaround on the flaw, which is available at http://securityresponse.symantec.com/avcenter/security/Content/2007.08.16.html