Microsoft Issues Security Advisory for VPN Password Flaw

Microsoft issued Security Advisory 2743314 on Monday to warn users of two tools readily available that can be used to steal passwords from wireless networks and virtual private networks (VPNs).

The tools were first disclosed and demonstrated during last month's Defcon security event in Las Vegas. According to creator Moxie Marlin, an independent software engineer and security expert, one of the tools can be used to crack a WPA2-Enterprise (Wireless Protected Access) and PPTP (Point-to-Point Tunneling Protocol) to bypass Microsoft's MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol version 2) for the purpose of capturing targeted network traffic.

Once the network traffic is collected, a second tool created by Marlin and a team of researchers called ChapCrack can then be used to filter out the complex network traffic to a singular data encryption standard (DES) key. This key can then be inputted into an online password cracking service, which can return an authentic network password in 24 hours.

An authentic password "could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource," according to Microsoft.

While Microsoft has issued this security advisory in response to the two tools' disclosure, a security update for the issue is currently not available. The company suggests that those running VPN solutions that employ PPTP and MS-CHAP v2 for authentication use Protected Extensible Authentication Protocol (PEAP) to secure the network (information on how to do this can be found in this Microsoft Knowledge Base Article).

"Microsoft recommends that customers assess the impact of making configuration changes to their environment," according to the security advisory. "Implementing PEAP-MS-CHAP v2 Authentication for Microsoft VPNs may require less change to configuration and have a lesser impact to systems than implementing a more secure VPN tunnel, such as using L2TP, IKEv2, or SSTP VPN tunnels in conjunction with MS-CHAP v2 or EAP-MS-CHAP v2 for authentication."

Microsoft said that since last month's disclosure, it has yet to see the published tools used in any active attacks, but said that it will continue to monitor the situation.

About the Author

Chris Paoli is the site producer for and


  • How To Remove the Windows 10 Action Center

    Microsoft meant well with Windows 10's Action Center, but the constant pop-up notifications are often more annoying than helpful. Here's how to get rid of them.

  • Google IDs on Azure Active Directory B2B Service Now at 'General Availability'

    Microsoft announced on Wednesday that users of the Google identity and access service can use their personal log-in IDs with the Azure Active Directory B2B service to access resources as "guests."

  • Top 4 Overlooked Features of a Data Backup Strategy

    When it comes to implementing an airtight backup-and-recovery plan, these are the four must-have features that many enterprises nevertheless tend to forget.

  • Microsoft Bolsters Kubernetes with Azure Confidential Computing

    Microsoft on Tuesday announced various developments concerning the use of Kubernetes, an open source container orchestration solution fostered by Google.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.