SEIL/B1 authentication issue


SEIL/B1 contains an issue in the implementation of the PPP Access Concentrator (PPPAC) function, which may allow replay attacks to be performed during the authentication process.

The PPP Access Concentrator (PPPAC) function within SEIL/B1 contains an issue in the CHAP and MS-CHAP-V2 authentication processes, the same challenge value is repeatedly used for each authentication attempt.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

Internet Initiative Japan Inc.
  • SEIL/B1 firmware 1.00 through 2.52


A third party may be able to perform replay attacks. As a result, the third party may gain access to the network.

According the developer, when L2TP/IPsec is being used, the authentication challenges are protected by the encryption provided by IPsec, and therefore the probability of being affected by this issue are reduced.

[Update the Software]
Update to the latest version according to the information provided by the developer.
This vulnerability has been addressed by firmware 2.60 that was released on December 1, 2009.
Vendor Information

Internet Initiative Japan Inc.
CWE (What is CWE?)

  1. Improper Authentication(CWE-287) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2009-4409

  1. JVN : JVN#49602378
  2. National Vulnerability Database (NVD) : CVE-2009-4409
  3. Secunia Advisory : SA37628
  4. SecurityFocus : 37293
Revision History

  • [2009/12/09]
      Web page published