Microsoft Issues Security Advisory for VPN Password Flaw
Microsoft issued Security Advisory 2743314 on Monday to warn users of two tools readily available that can be used to steal passwords from wireless networks and virtual private networks (VPNs).
The tools were first disclosed and demonstrated during last month's Defcon security event in Las Vegas. According to creator Moxie Marlin, an independent software engineer and security expert, one of the tools can be used to crack a WPA2-Enterprise (Wireless Protected Access) and PPTP (Point-to-Point Tunneling Protocol) to bypass Microsoft's MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol version 2) for the purpose of capturing targeted network traffic.
Once the network traffic is collected, a second tool created by Marlin and a team of researchers called ChapCrack can then be used to filter out the complex network traffic to a singular data encryption standard (DES) key. This key can then be inputted into an online password cracking service, which can return an authentic network password in 24 hours.
An authentic password "could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource," according to Microsoft.
While Microsoft has issued this security advisory in response to the two tools' disclosure, a security update for the issue is currently not available. The company suggests that those running VPN solutions that employ PPTP and MS-CHAP v2 for authentication use Protected Extensible Authentication Protocol (PEAP) to secure the network (information on how to do this can be found in this Microsoft Knowledge Base Article).
"Microsoft recommends that customers assess the impact of making configuration changes to their environment," according to the security advisory. "Implementing PEAP-MS-CHAP v2 Authentication for Microsoft VPNs may require less change to configuration and have a lesser impact to systems than implementing a more secure VPN tunnel, such as using L2TP, IKEv2, or SSTP VPN tunnels in conjunction with MS-CHAP v2 or EAP-MS-CHAP v2 for authentication."
Microsoft said that since last month's disclosure, it has yet to see the published tools used in any active attacks, but said that it will continue to monitor the situation.