Microsoft Issues Security Advisory for VPN Password Flaw

Microsoft issued Security Advisory 2743314 on Monday to warn users of two tools readily available that can be used to steal passwords from wireless networks and virtual private networks (VPNs).

The tools were first disclosed and demonstrated during last month's Defcon security event in Las Vegas. According to creator Moxie Marlin, an independent software engineer and security expert, one of the tools can be used to crack a WPA2-Enterprise (Wireless Protected Access) and PPTP (Point-to-Point Tunneling Protocol) to bypass Microsoft's MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol version 2) for the purpose of capturing targeted network traffic.

Once the network traffic is collected, a second tool created by Marlin and a team of researchers called ChapCrack can then be used to filter out the complex network traffic to a singular data encryption standard (DES) key. This key can then be inputted into an online password cracking service, which can return an authentic network password in 24 hours.

An authentic password "could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource," according to Microsoft.

While Microsoft has issued this security advisory in response to the two tools' disclosure, a security update for the issue is currently not available. The company suggests that those running VPN solutions that employ PPTP and MS-CHAP v2 for authentication use Protected Extensible Authentication Protocol (PEAP) to secure the network (information on how to do this can be found in this Microsoft Knowledge Base Article).

"Microsoft recommends that customers assess the impact of making configuration changes to their environment," according to the security advisory. "Implementing PEAP-MS-CHAP v2 Authentication for Microsoft VPNs may require less change to configuration and have a lesser impact to systems than implementing a more secure VPN tunnel, such as using L2TP, IKEv2, or SSTP VPN tunnels in conjunction with MS-CHAP v2 or EAP-MS-CHAP v2 for authentication."

Microsoft said that since last month's disclosure, it has yet to see the published tools used in any active attacks, but said that it will continue to monitor the situation.

About the Author

Chris Paoli is the site producer for and


  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

  • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

    Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

comments powered by Disqus