Authentication Flaw in F5 FirePass Reveals Valid Usernames
CVE-2007-0195

Currently unrated

Key Information:

Vendor: F5
Status: Firepass
Vendor: CVE Published:; 12 January 2007

Summary

The my.activation.php3 file in F5 FirePass versions 5.4 to 6.0 has a vulnerability that presents different error messages for login attempts with valid and invalid usernames. This inconsistency allows remote attackers to infer valid LDAP accounts, potentially compromising user security. By leveraging this flaw, attackers can conduct targeted brute-force attacks more effectively by confirming which usernames are legitimate.

References

https://tech.f5.com/home/solutions/sol6923.html

x_refsource_CONFIRM

http://www.mnin.org/advisories/2007_firepass.pdf

x_refsource_MISC

http://www.osvdb.org/32736

vdb-entryx_refsource_OSVDB

Timeline

Vulnerability published
Jan 12, 2007
Vulnerability Reserved
Jan 10, 2007