Microsoft Security Advisory (2743314)
Unencapsulated MS-CHAP v2 Authentication Could Allow Information Disclosure
Published:
Version: 1.0
General Information
Executive Summary
Microsoft is aware that detailed exploit code has been published for known weaknesses in the Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2). The MS-CHAP v2 protocol is widely used as an authentication method in Point-to-Point Tunneling Protocol (PPTP)-based VPNs. Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.
Mitigating Factors:
- Only VPN solutions that rely on PPTP in combination with MS-CHAP v2 as the sole authentication method are vulnerable to this issue.
Recommendation. Please see the Suggested Actions section of this advisory for more information.
Advisory Details
Issue References
For more information about this issue, see the following references:
| References | Identification |
|---|---|
| Microsoft Knowledge Base Article | 2744850 |
Frequently Asked Questions
What is the scope of the advisory?
The purpose of this advisory is to notify customers that detailed exploit code has been published for known weaknesses in the MS-CHAP v2 protocol. Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.
What caused the issue?
The issue is caused by known cryptographic weaknesses in the MS-CHAP v2 protocol.
What might an attacker use the weaknesses to do?
An attacker who successfully exploited these cryptographic weaknesses could obtain user credentials. Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource
How could an attacker exploit the weaknesses?
An attacker has to be able to intercept the victim's MS-CHAP v2 handshake in order to exploit this weakness, by performing man-in-the-middle attacks or by intercepting open wireless traffic. An attacker who obtained the MS-CHAP v2 authentication traffic could then use the exploit code to decrypt a user's credentials.
Is this a security vulnerability that requires Microsoft to issue a security update?
No, this is not a security vulnerability that requires Microsoft to issue a security update. This issue is due to known cryptographic weaknesses in the MS-CHAP v2 protocol and is addressed through implementing configuration changes. For information on how to secure your MS-CHAP v2/PPTP based tunnel with PEAP, see Microsoft Knowledge Base Article 2744850.
What is MS-CHAP v2?
MS-CHAP v2 is a challenge-handshake mutual authentication protocol. When a user authenticates to a service, the remote access server asks for proof by sending a challenge to the client. Then, the client asks for proof by sending a challenge to the server. If the server cannot prove that it has knowledge of the user's password by correctly answering the client's challenge, the client terminates the connection. Without mutual authentication, a remote access client could not detect a connection to an impersonating server.
Is MS-CHAP v1 affected?
MS-CHAP v1 has been deprecated. For more information, see Microsoft Knowledge Base Article 926170.
What is a man-in-the-middle attack?
A man-in-the-middle attack occurs when an attacker reroutes communication between two users through the attacker’s computer without the knowledge of the two communicating users. Each user in the communication unknowingly sends traffic to and receives traffic from the attacker, all the while thinking they are communicating only with the intended user.
Suggested Actions
Secure your MS-CHAP v2/PPTP based tunnel with PEAP
For information on how to secure your MS-CHAP v2/PPTP based tunnel with PEAP, see Microsoft Knowledge Base Article 2744850.
Or, as an alternative to implementing PEAP-MS-CHAP v2 Authentication for Microsoft VPNs, use a more secure VPN tunnel
If the tunnel technology used is flexible, and a password-based authentication method is still required, then Microsoft recommends using L2TP, IKEv2, or SSTP VPN tunnels in conjunction with MS-CHAP v2 or EAP-MS-CHAP v2 for authentication.
For more information, see the following links:
- L2TP - Configure L2TP/IPsec-based Remote Access
- VPN Reconnect (IPSEC IKEv2) - Configure IKEv2-based Remote Access
- SSTP - SSTP Remote Access Step-by-Step Guide: Deployment
Note Microsoft recommends that customers assess the impact of making configuration changes to their environment. Implementing PEAP-MS-CHAP v2 Authentication for Microsoft VPNs may require less change to configuration and have a lesser impact to systems than implementing a more secure VPN tunnel, such as using L2TP, IKEv2, or SSTP VPN tunnels in conjunction with MS-CHAP v2 or EAP-MS-CHAP v2 for authentication.
Additional Suggested Actions
- Protect your PC
We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. For more information, see Microsoft Safety & Security Center.
- Keep Microsoft Software Updated
Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed.
Other Information
Feedback
- You can provide feedback by completing the Microsoft Help and Support form, Customer Service Contact Us.
Support
- Customers in the United States and Canada can receive technical support from Security Support. For more information, see Microsoft Help and Support.
- International customers can receive support from their local Microsoft subsidiaries. For more information, see International Support.
- Microsoft TechNet Security provides additional information about security in Microsoft products.
Disclaimer
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions
- V1.0 (August 20, 2012): Advisory published.