Three potential vulnerabilities affecting all Nortel VPN router models were flagged by the company this week. Nortel has issued patches for all three problems. Nortel adds that upgrading to VPN router software versions 6_05.140, 5_05.304 or 5_05.149 fixes the three issues it is reporting. (The upgrade secures the two diagnostic user accounts, closes the vulnerability in the Web manager and adds 3DES encryption to passwords). Software upgrades can be obtained at Nortel's site.

User accounts used for diagnostics on Nortel VPN routers (formerly known as Contivity) could be used to gain access to a corporate VPN. In another potential vulnerability, unauthorized remote users could also gain administrative access to a VPN router through a Web interface. A third vulnerability could result in someone cracking users' VPN passwords.

Nortel says it has issued software that fixes these flaws. Product versions affected include all Nortel VPN router models (PDF format) -- 1000, 2000, 3000, 4000 and 5000.

The user account issue, among the three discovered by a German security researcher, involves two user accounts stored in the VPN Router's default directory. The accounts are used for diagnostics of various VPN tunnels types when the router is used in Federal Information Processing Standards encryption mode --  a standard used by government agencies.

"These accounts represent a potential backdoor into the private network from any VPN router," Nortel says in a bulletin.

Web-based management interfaces on VPN routers can also be accessed by unauthorized users by "careful manipulation of the URL" of the router's Web address. Nortel says this could give limited access to some router configuration settings.

Nortel is also warning that the DES key it uses to encrypt all user passwords on its VPN routers are identical. "It is possible -- providing the attacker was able to gain access to the Lightweight Directory Access Protocol store -- to use a brute force attack on the hash of a user password in order to gain network access," Nortel says.