Security flaw hits Symantec Enterprise Firewall

Symantec's Enterprise Firewall can be compromised by hackers via a username enumeration vulnerability, security experts warned today.

NTA Monitor said that the flaw can occur when the devices are configured for remote access (client-to-gateway) VPNs using pre-shared key authentication.

The devices respond differently to valid and invalid usernames, allowing an attacker to exploit this difference to determine whether a given user exists.

It is also possible to use the vulnerability to enumerate valid users on the system, either by brute force or by trying likely usernames, the security firm warned.

Roy Hills, technical director at NTA Monitor, said: "There are two particularly interesting points to bear in mind when discussing this flaw.

"This type of flaw has been known about for almost 30 years, and Symantec is not the only vendor to suffer from this problem."

NTA has found username enumeration vulnerabilities in Cisco and Checkpoint products, to name just two.

"It is surprising to find that vendors do not seem to have recognised that these flaws are pretty commonplace, and many vendors have not taken proactive steps to eliminate the flaw," Hills added.

Username enumeration was first mentioned in 1979 in the Morris Password Security paper.

"It is poor design to write the log-in command in such a way that it tells an interloper when he has typed in an invalid username. The response to an invalid name should be identical to that for a valid name," the paper stated.

Symantec has issued an advisory and workaround on the flaw.