CVE-2020-25200
published 2020-10-01CVE-2020-25200: Pritunl 1.29.2145.25 allows attackers to enumerate valid VPN usernames via a series of /auth/session login attempts. Initially, the server will return error…
PriorityP342medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
7.47%
93.7th percentile
Pritunl 1.29.2145.25 allows attackers to enumerate valid VPN usernames via a series of /auth/session login attempts. Initially, the server will return error 401. However, if the username is valid, then after 20 login attempts, the server will start responding with error 400. Invalid usernames will receive error 401 indefinitely. Note: This has been disputed by the vendor as not a vulnerability. They argue that this is an intended design
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pritunl | pritunl | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →A valid username is identified when the server transitions from HTTP 401 to HTTP 400 after approximately 20 consecutive failed login attempts to /auth/session. Invalid usernames always return 401. ↗
- →Detect enumeration attempts by monitoring for repeated POST requests to /auth/session with Content-Type: application/json, especially bursts of 20+ requests from the same source IP. ↗
- →Alert on HTTP 400 responses from /auth/session containing the strings 'Too many authentication attempts' or 'auth_too_many' in the JSON body, as these indicate a valid username has been identified by an attacker. ↗
- →Use Shodan/FOFA/Google dorks to identify exposed Pritunl login panels that may be targeted: Shodan: http.title:"pritunl", FOFA: title="pritunl", Google: intitle:"pritunl". ↗
- ·The vendor disputes this as a vulnerability, stating the differing error responses are intentional design behavior, not a security flaw. ↗
- ·Exploitation requires network access to the Pritunl login endpoint; the attack is not exploitable without reachability to /auth/session. ↗
- ·The enumeration threshold is approximately 20 attempts per username before the server response changes from 401 to 400; detection rules should account for this specific count window. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Pritunl VPN Server 1.29.2145.25 - Username Enumeration
nuclei·CVSS 5.3
CVE-2020-25200 [MEDIUM] Pritunl VPN Server 1.29.2145.25 - Username Enumeration
Pritunl VPN Server 1.29.2145.25 - Username Enumeration
Pritunl 1.29.2145.25 contains a username enumeration issue caused by different error responses in /auth/session login attempts, letting attackers verify valid usernames, exploit requires network access to the login endpoint.
Template:
id: CVE-2020-25200
info:
name: Pritunl VPN Server 1.29.2145.25 - Username Enumeration
author: pussycat0x
severity: medium
description: |
Pritunl 1.29.2145.25 contains a username enumeration issue caused by different error responses in /auth/session login attempts, letting attackers verify valid usernames, exploit requires network access to the login endpoint.
impact: |
Attackers can enumerate valid VPN usernames, potentially aiding targeted attacks or credential stuffing efforts.
remediation: |
Implem
No writeups or analysis indexed.
2020-10-01
Published