End of Days for MS-CHAPv2
Moxie Marlinspike and David Hulton gave a talk at Defcon 20 on a presentation on cracking MS-CHAPv2 with 100% success rate. This protocol is still very much in use with PPTP VPNs, and WPA2 Enterprise environments for authentication.
Moxie's recommendations [1]:
1- All users and providers of PPTP VPN solutions should immediately start migrating to a different VPN protocol. PPTP traffic should be considered unencrypted.
2- Enterprises who are depending on the mutual authentication properties of MS-CHAPv2 for connection to their WPA2 Radius servers should immediately start migrating to something else.
Knowing that MS-CHAPv2 can now be cracked, what alternatives are you considering to secure your now insecure communications? The two alternatives suggested by Moxie are "[...] OpenVPN configuration, or IPSEC in certificate rather than PSK mode."
[1] https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
[2] https://github.com/moxie0/chapcrack
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
BIND 9 Security Updates
BIND has released 4 new versions that takes care of 2 security issues. They can be downloaded here.
- 9.6-esv-r7-p2
- 9.7.6-p2
- 9.8.3-p2
- 9.9.1-p2
New security bulletins
- CVE-2012-3868: High TCP Query Load Can Trigger a Memory Leak in BIND 9
- CVE-2012-3817: Heavy DNSSEC Validation Load Can Cause a "Bad Cache" Assertion Failure in BIND9
[1] http://www.isc.org/downloads/all
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3817
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3868
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
Comments