Executive Summary
Summary | |
---|---|
Title | Wireless PEAP-MS-CHAPv2 Authentication Could Allow Information Disclosure |
Informations | |||
---|---|---|---|
Name | KB2876146 | First vendor Publication | 2013-08-04 |
Vendor | Microsoft | Last vendor Modification | 1970-01-01 |
Severity (Vendor) | N/A | Revision | 1.0 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : | |||
---|---|---|---|
Cvss Base Score | Not Defined | Attack Range | Not Defined |
Cvss Impact Score | Not Defined | Attack Complexity | Not Defined |
Cvss Expoit Score | Not Defined | Authentication | Not Defined |
Calculate full CVSS 2.0 Vectors scores |
Detail
Microsoft is aware of a public report that describes a known weakness in the Wi-Fi authentication protocol known as PEAP-MS-CHAPv2 (Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2), used by Windows Phones for WPA2 wireless authentication. In vulnerable scenarios, an attacker who successfully exploited this issue could achieve information disclosure against the targeted device. Microsoft is not currently aware of active attacks or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary. To exploit this issue, an attacker controlled system could pose as a known Wi-Fi access point, causing the targeted device to automatically attempt to authenticate with the access point, and in turn allowing the attacker to intercept the victim's encrypted domain credentials. An attacker could then exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to obtain the victim's domain credentials. Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource. Recommendation. Apply the suggested action to require a certificate verifying a wireless access point before starting an authentication process. Please see the Suggested Actions section of this advisory for more information. This advisory discusses the following devices. What is the scope of the advisory? Is this a security vulnerability that requires Microsoft to issue a security update? What might an attacker use the issue to do? How could an attacker exploit the issue? What is PEAP-MS-CHAPv2? What is WPA2? To help protect against exploitation of the issue described in this advisory, apply one of the following suggested actions: A Windows Phone 8 device can be configured to validate a network access point to help make sure the network is your companys network before starting an authentication process. This can be done by validating a certificate that's on your companys server. Only after validating the certificate is user name and password information sent to the authentication server, so the phone can connect to the Wi-Fi network. Issuing the certificate: Corporate IT issues the root certificate that can be used to validate the Wireless access point. The certificate should have an easy to remember name; for instance, "Contoso Corporate Root Certificate". This certificate could have already been provisioned via the IT managed MDM (Mobile Device Management solution). The certificate can be issued via an email message. The email message should also contain instructions from the IT department on how to turn on Wi-Fi certificate validation. For instance, the email message could contain the following steps. Configuring a Windows Phone 8 to require a certificate verifying a wireless access point: After receiving the root certificate from Corporate IT, each Windows Phone 8 user performs the following steps: Delete the previously configured Wi-Fi connection. Create a new connection and enable server certificate validation. In Settings, Wi-Fi, tap to toggle "Wi-Fi networking" to Off |
Original Source
Url : http://www.microsoft.com/technet/security/advisory/2876146.mspx |
Alert History
Date | Informations |
---|---|
2013-09-18 17:10:40 |
|