Microsoft : PEAP-MSCHAPv2 Vulnerability Could Allow For Credential Theft

News Security Threats

Microsoft : PEAP-MSCHAPv2 Vulnerability Could Allow For Credential Theft

Recently, Microsoft released a report of a known security vulnerability present within Wi-Fi authentication. The authentication protocol known as PEAP-MSCHAPv2, a widely supported standard, can be exploited to gain user login information from devices which are not properly configured to connect only to trusted RADIUS servers.

The article describes a potential vulnerable scenario: An attacker can imitate a trusted access point from their own laptop, for instance on a college campus. A student whose device has not been configured properly for the school’s legitimate SSID will connect to the nearby imitation SSID automatically, and will attempt to auto-authenticate with the attacker’s spoofed network. In doing so it sends encrypted packets containing the user’s login information to the attacker’s computer. A well-documented weakness in PEAP-MSCHAPv2’s encryption method allows the attacker to easily decrypt the packets, thereby allowing the attacker to easily acquire the user’s login credentials.

Microsoft provides recommendations to help users secure their devices. The primary defense is achieved with the use of server certificates; the authentication server has an identified and trusted certificate, issued by a public Certificate Authority or an IT department in the form of a private certificate. A secured device will verify that the RADIUS server it is contacting is holding the trusted certificate, confirming that the network is legitimate and allowing the device to connect to the network.

Failure to verify the server certificate leaves users and devices very susceptible to ActiveDirectory or LDAP credential theft via a simple Man-in-the-middle-Attack. Detailed explanation from Vivek Ramachandran, a world renowned security researcher, can be seen here:

The process to set up certificate validation is device-specific and difficult for users to correctly configure on their own. Manual configuration of personal devices presents serious security issues because users tend to skip server certificate validation or accidentally trust rogue networks.

Auto-configuration tools such as JoinNow automate this process for the user and make certain that the device is configured correctly for the secure network. JoinNow correctly configures the device to check for specified certificates and verify the device is connecting to the trusted network. This is imperative in today’s environments, as certificate prompts are otherwise ignored by users, can be confusing to interpret, and can cause serious security issues and help desk tickets if not configured properly.

JoinNow, in addition to many other useful features, properly configures security essentials such as certificate validation on a wide range of BYOD platforms (Windows, Mac, iOS, Android, Linux, Kindle Fire, and more). Rather than going through a risky and difficult process of manually configuring their personal devices, users can rest assured that they are onboarding in the easiest and most secure manner possible.

Read the report from Microsoft:
http://technet.microsoft.com/en-us/security/advisory/2876146

More information regarding the importance of certificate validation:
http://blog.depthsecurity.com/2010/11/when-8021xpeapeap-ttls-is-worse-th…