Security Advisory Issued for VPN Password Flaw; No Fix Yet
Microsoft is warning users via Security Advisory 2743314
that hackers can use two tools to steal passwords from wireless networks and virtual private networks. The tools were first disclosed and demonstrated during last month's Defcon security event in Las Vegas.
According to creator Moxie Marlin, an independent software engineer and security expert who created and demonstrated the tools, the first tool can be used to crack a WPA2-Enterprise (Wireless Protected Access) and PPTP (Point-to-Point Tunneling Protocol) to bypass Microsoft's MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol version 2) for the purpose of capturing targeted network traffic.
Once the network traffic is collected, a second tool called ChapCrack can then filter out the complex network traffic to a singular data encryption standard key. This DES key can then be entered into an online password cracking service, which can return an authentic network password in 24 hours. That authentic password "could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource," according to Microsoft.
A security update for the issue is currently not available. The company suggests that those running VPN solutions that employ PPTP and MS-CHAP v2 for authentication use Protected Extensible Authentication Protocol (PEAP) to secure the network (information on how to do this can be found in this Microsoft Knowledge Base Article).
"Microsoft recommends that customers assess the impact of making configuration changes to their environment," according to the security advisory. "Implementing PEAP-MS-CHAP v2 Authentication for Microsoft VPNs may require less change to configuration and have a lesser impact to systems than implementing a more secure VPN tunnel, such as using L2TP, IKEv2, or SSTP VPN tunnels in conjunction with MS-CHAP v2 or EAP-MS-CHAP v2 for authentication."
Microsoft said that since last month's disclosure, it has yet to see the published tools used in any active attacks, but said that it will continue to monitor the situation.