JPCERT-AT-2012-0027 JPCERT/CC 2012-08-23 <<< JPCERT/CC Alert 23-08-12 >>> Disclosure of credentials with MS-CHAP v2 https://www.jpcert.or.jp/english/at/2012/at120027.html I. Overview Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) version 2, is widely used as an authentication method in Point-to-Point Tunneling Protocol (PPTP)-based VPNs. With MS-CHAP v2, a third party may steal credentials. MS-CHAP v2 may be used as an authentication protocol for wired and wireless LAN in some cases. An attacker could steal user authentication traffic via a man-in-the-middle attack or intercepting wireless communications and then acquiring credentials by leveraging the vulnerabilities associated with MS-CHAP v2. As a result, the attacker may decrypt protected communication or illegally access a system using the acquired credentials. Microsoft Security Advisory (2743314) Unencapsulated MS-CHAP v2 Authentication Could Allow Information Disclosure http://technet.microsoft.com/en-us/security/advisory/2743314 Microsoft Japan states that detailed exploit code has been publicly available for this vulnerability. Taking into account the possibility of future attacks leveraging this vulnerability, it is recommended to consider the solution shown in III , if accessing an internal system through a PPTP-based VPN. II. Affected Systems Any system with PPTP-based VPN connections using only MS-CHAP v2 * Users are not affected if they encrypt the MS-CHAP v2 authentication traffic with other methods. According to Microsoft Japan, users are not affected if they use MS-CHAP v2 as a protocol to authenticate wired or wireless LAN on a Windows client. This is because Microsoft offers only one option: using PEAP in combination with MS-CHAP v2. Those who use other appliances are unlikely to be affected since PEAP, TLS, and others are generally used together with MS-CHAP v2 in many implementations. However, it is recommended to refer to the information provided by the relevant vendor. III. Solution When you build a new system or update an existing system, do not use only MS-CHAP v2; use PEAP or another expanded protocol in combination or consider a configuration that does not involve PPTP (such as IKEv2/IPSec and L2TP/IPSec). Please use PEAP or other expanded protocol together with MS-CHAP v2 or VPNs other than PPTP-based ones, in current and future system configuration. If you continue to use only MS-CHAP v2 until the migration is completed, make sure that there is no unauthorized access by periodically checking the authentication log of currently operated network appliances or servers. IV. References Microsoft Security Advisory (2743314) Unencapsulated MS-CHAP v2 Authentication Could Allow Information Disclosure http://technet.microsoft.com/en-us/security/advisory/2743314 Japan Security Team Released the Security Advisory #2743314: Unencapsulated MS-CHAP v2 Authentication Could Allow Information Disclosure http://blogs.technet.com/b/jpsecurity/archive/2012/08/21/3515331.aspx If you have any information regarding this alert, please contact JPCERT/CC. ====================================================================== JPCERT Coordination Center (JPCERT/CC) MAIL: info@jpcert.or.jp TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 https://www.jpcert.or.jp/english/