Executive Summary

Summary
Title Unencapsulated MS-CHAP v2 Authentication Could Allow Information Disclosure
Informations
Name KB2743314 First vendor Publication 2012-08-20
Vendor Microsoft Last vendor Modification 1970-01-01
Severity (Vendor) N/A Revision 1.0

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score Not Defined Attack Range Not Defined
Cvss Impact Score Not Defined Attack Complexity Not Defined
Cvss Expoit Score Not Defined Authentication Not Defined
Calculate full CVSS 2.0 Vectors scores

Detail

General Information

Executive Summary

Microsoft is aware that detailed exploit code has been published for known weaknesses in the Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2). The MS-CHAP v2 protocol is widely used as an authentication method in Point-to-Point Tunneling Protocol (PPTP)-based VPNs. Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.

Mitigating Factors:

  • Only VPN solutions that rely on PPTP in combination with MS-CHAP v2 as the sole authentication method are vulnerable to this issue.

Recommendation. Please see the Suggested Actions section of this advisory for more information.

Advisory Details

Issue References

For more information about this issue, see the following references:

ReferencesIdentification
Microsoft Knowledge Base Article2744850

Frequently Asked Questions

What is the scope of the advisory?
The purpose of this advisory is to notify customers that detailed exploit code has been published for known weaknesses in the MS-CHAP v2 protocol. Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.

What caused the issue?
The issue is caused by known cryptographic weaknesses in the MS-CHAP v2 protocol.

What might an attacker use the weaknesses to do?
An attacker who successfully exploited these cryptographic weaknesses could obtain user credentials. Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource

How could an attacker exploit the weaknesses?
An attacker has to be able to intercept the victim's MS-CHAP v2 handshake in order to exploit this weakness, by performing man-in-the-middle attacks or by intercepting open wireless traffic. An attacker who obtained the MS-CHAP v2 authentication traffic could then use the exploit code to decrypt a user's credentials.

Is this a security vulnerability that requires Microsoft to issue a security update?
No, this is not a security vulnerability that requires Microsoft to issue a security update. This issue is due to known cryptographic weaknesses in the MS-CHAP v2 protocol and is addressed through implementing configuration changes. For information on how to secure your MS-CHAP v2/PPTP based tunnel with PEAP, see Microsoft Knowledge Base Article 2744850.

What is MS-CHAP v2?
MS-CHAP v2 is a challenge-handshake mutual authentication protocol. When a user authenticates to a service, the remote access server asks for proof by sending a challenge to the client. Then, the client asks for proof by sending a challenge to the server. If the server cannot prove that it has knowledge of the user's password by correctly answering the client's challenge, the client terminates the connection. Without mutual authentication, a remote access client could not detect a connection to an impersonating server.

Is MS-CHAP v1 affected?
MS-CHAP v1 has been deprecated. For more information, see Microsoft Knowledge Base Article 926170.

What is a man-in-the-middle attack?
A man-in-the-middle attack occurs when an attacker reroutes communication between two users through the attackers computer without the knowledge of the two communicating users. Each user in the communication unknowingly sends traffic to and receives traffic from the attacker, all the while thinking they are communicating only with the intended user.

Suggested Actions

Secure your MS-CHAP v2/PPTP based tunnel with PEAP

For information on how to secure your MS-CHAP v2/PPTP based tunnel with PEAP, see Microsoft Knowledge Base Article 2744850.

Or, as an alternative to implementing PEAP-MS-CHAP v2 Authentication for Microsoft VPNs, use a more secure VPN tunnel

If the tunnel technology used is flexible, and a password-based authentication method is still required, then Microsoft recommends using L2TP, IKEv2, or SSTP VPN tunnels in conjunction with MS-CHAP v2 or EAP-MS-CHAP v2 for authentication.

For more information, see the following links:

  • L2TP - Configure L2TP/IPsec-based Remote Access
  • VPN Reconnect (IPSEC IKEv2) - Configure IKEv2-based Remote Access
  • SSTP - SSTP Remote Access Step-by-Step Guide: Deployment

Note Microsoft recommends that customers assess the impact of making configuration changes to their environment. Implementing PEAP-MS-CHAP v2 Authentication for Microsoft VPNs may require less change to configuration and have a lesser impact to systems than implementing a more secure VPN tunnel, such as using L2TP, IKEv2, or SSTP VPN tunnels in conjunction with MS-CHAP v2 or EAP-MS-CHAP v2 for authentication.

Additional Suggested Actions
  • Protect your PC

    We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. For more information, see Microsoft Safety & Security Center.

  • Keep Microsoft Software Updated

    Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed.

Original Source

Url : http://www.microsoft.com/technet/security/advisory/2743314.mspx