Title: OPIE Account Existence Information Leak Vulnerability
Severity: MODERATE
Description:
OPIE is a software package allowing remote authentication via one time passwords, based originally on the S/Key framework. In order to use OPIE, a user first pre-generates a sequence of one time passwords. Each time the user attempts to authenticate, they are prompted for a password. This prompt includes the sequence number currently required. Once the user authenticates, this sequence number is decremented.
As a standard security precaution, when an authentication attempt is made with an invalid account, a standard password prompt is still given. This is to avoid having an outside party map out valid accounts within the system. While OPIE includes this functionality, the password prompt includes a randomly choosen sequence number.
Through multiple (invalid) attempts to authenticate against the same account name, an attacker may take note of the different random sequence numbers given in the prompt. In the very likely event that these numbers do not remain constant or decrement by reasonable amounts, the attacker may make a reasonable assumption that the account is invalid.
Conversely, consistent behavior in the prompt gives strong evidence that the account being used is valid.
Affected Products:
- NRL OPIE 2.32.0
- NRL OPIE 2.4.0
References:
- The Inner Net: OPIE
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
