Microsoft is aware that detailed exploit code has been published for known weaknesses in the Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2). The MS-CHAP v2 protocol is widely used as an authentication method in Point-to-Point Tunneling Protocol (PPTP)-based VPNs. Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.
- Only VPN solutions that rely on PPTP in combination with MS-CHAP v2 as the sole authentication method are vulnerable to this issue.
Suggested Actions
Secure your MS-CHAP v2/PPTP based tunnel with PEAP
For information on how to secure your MS-CHAP v2/PPTP based tunnel with PEAP, see Microsoft Knowledge Base Article 2744850.
Or, as an alternative to implementing PEAP-MS-CHAP v2 Authentication for Microsoft VPNs, use a more secure VPN tunnel
If the tunnel technology used is flexible, and a password-based authentication method is still required, then Microsoft recommends using L2TP, IKEv2, or SSTP VPN tunnels in conjunction with MS-CHAP v2 or EAP-MS-CHAP v2 for authentication.
For more information, see the following links:
- L2TP – Configure L2TP/IPsec-based Remote Access
- VPN Reconnect (IPSEC IKEv2) – Configure IKEv2-based Remote Access
- SSTP – SSTP Remote Access Step-by-Step Guide: Deployment
Note Microsoft recommends that customers assess the impact of making configuration changes to their environment. Implementing PEAP-MS-CHAP v2 Authentication for Microsoft VPNs may require less change to configuration and have a lesser impact to systems than implementing a more secure VPN tunnel, such as using L2TP, IKEv2, or SSTP VPN tunnels in conjunction with MS-CHAP v2 or EAP-MS-CHAP v2 for authentication.
Microsoft Security Advisory (2743314) Unencapsulated MS-CHAP v2 Authentication Could Allow I
News