Security experts at NTA Monitor say that version 5.01 of Nortel's Contivity VPN client for Windows is flawed because it gives users the option of saving their VPN username and password on the computer from which they access the VPN. A hacker who gained access to the machine could find this information and then log onto the corporate network. Although the software stores the password in an encrypted format in the registry, it also stores an unencrypted copy in other places on the hard drive, NTA Monitor said.
"In my definition, I'd say this is a vulnerability," said Roy Hills, technical director for NTA Monitor. "If someone gets these details, it's a big problem, but it's a lot of effort, so let's not go overboard on this."
Nortel has acknowledged that it is unwise for users to save VPN passwords in this way, even though its software gives people this option.
"If you save your password in a VPN client, that is insecure," said a Nortel spokesman. "There is the option to save the password, but someone has to have access to your PC. It's something we plan to resolve. We don't believe this to be a major problem."
Hills's team of researchers discovered the problem in October and passed full details over to Nortel four weeks ago. Hills said that Nortel failed to respond to warnings that it could have a problem and only contacted NTA Monitor today after being contacted by ZDNet.
ZDNet UK's Dan Ilett reported from London. For more coverage from ZDNet UK, click here.
Internet Explorer lets you save passwords, do you report that "Microsoft goes back to the drawing board"?
The CISCO VPN client that I use lets you save accounts and passwords.
Hundreds of applications let you save accounts and passwords.
This doesn't seem to me to be something that should be reported as a "VPN problem".