Re: Weaknesses in LEAP Challenge/Response

[Sharad Ahlawat <sahlawat () cisco com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is in response to the mail posted by Joshua Wright. The original mail is 
available at
http://www.securityfocus.com/archive/1/340365/2003-10-03/2003-10-09/0

On Monday 06 October 2003 05:06, Joshua Wright wrote:
> In August 2003, I sent a tool I had written to the Cisco PSIRT team
> that exploited weaknesses in the LEAP challenge/response
> authentication mechanism.  This tool leveraged large password lists
> to efficiently launch offline dictionary attacks against LEAP user
> accounts, collected through passive sniffing or active
> disassociate/reassociate techniques.
>
> The Cisco LEAP challenge/response mechanism is just a modified
> version of MS-CHAPv2, as documented on the cisco.com website [1].
> The MS-CHAPv2 protocol is known to be weak, as documented in many
> sources.

This is not a new attack or new vulnerability of Microsoft MS-CHAP or Cisco 
LEAP and this proof of concept code demonstrates that simple dictionary based 
passwords can be deciphered relatively easily. The most effective way to 
mitigate against dictionary attacks is to create a strong password policy. 
Cisco discussed Cisco LEAP's vulnerability to dictionary attacks and its 
mitigation techniques in the SAFE Wireless LAN Security White Paper, 
originally published in 2001. [1]

> My concern when learning about the architecture of the LEAP protocol
> was that Cisco was continuing to push LEAP to customers in their CCX
> program as a way to gain market share, over stronger wireless
> authentication protocols such as PEAP and TTLS.

Cisco is a co-inventor of PEAP and has invested heavily in developing and 
implementing PEAP and supports it for deployment today. The CCX program also 
includes support for PEAP along with LEAP.

Cisco has made multiple EAP protocols available for deployment namely LEAP, 
PEAP and EAP-SIM. It would be incorrect to state that Cisco "pushes" LEAP. 
Cisco strives to provide support for the protocols requested/demanded by our 
customers, allowing customers to make the best decisions for their network 
implementations.

> After presenting
> this information at the Defcon 11 conference [2], Cisco released a
> PSIRT notice that referenced their internal documentation, making
> customers aware that LEAP was vulnerable to dictionary attacks [3].
> This notice was very subtle, and despite my asking Cisco to reword
> the notice to include stronger language that would prompt people who
> are using LEAP to take the flaw seriously, Cisco would not modify the
> notice.

Cisco security notices and announcements are only released in response to 
security vulnerabilities in our products. They state the vulnerability 
clearly and precisely. They do not contain strong, or for the lack of another 
word, weak language. Cisco posted a security notice for Dictionary Attacks on 
Cisco LEAP on August, 02, 2003 at 
http://www.cisco.com/warp/public/707/cisco-sn-20030802-leap.shtml to reiterate 
the susceptibility of LEAP to dictionary attacks in the absence of a strong 
password policy.

> I am not the first person to identify this weakness, and I know that
> other people have written code (that is likely far better than my own
> code) to exploit this flaw but have remained quiet while Cisco
> prepares an alternate, stronger authentication mechanism for
> customers.

Cisco appreciates security researchers who follow the generally acknowledged 
guidelines of responsible disclosure, giving vendors an opportunity to fix a 
vulnerability before publicizing it.

> In an effort to give Cisco and their customers time to
> react to this flaw, I told Cisco I would not release my attack code
> for 6 months, starting in August 2003.  I plan to keep this promise,
> although it may be moot since other exploit code has been posted to
> public forums that exploits the same challenge/response flaw.

Cisco appreciates the offer to not release the proof of concept code till 
February, 2004. Cisco is currently working on a software upgrade for our 
customers that would address this vulnerability of LEAP being susceptible to 
dictionary attacks. This software release is expected to be available by 
March, 2004. Releasing the proof of concept code before users have migrated 
to a dictionary attack proof implementation is like releasing exploit code 
and I am not sure of any beneficial purpose that would serve.

> Customers using LEAP should be aware that the usernames and password
> of their user account are exposed, and should plan for the deployment
> of an alternate authentication mechanisms such as PEAP or TTLS.

This is an incorrect statement. Cisco LEAP is a secure 802.1X EAP 
authentication solution-when accompanied with a strong password policy. Users 
can confidently deploy and continue to use Cisco LEAP in conjunction with a 
strong password policy and do always have the choice of deploying any other 
EAP protocol.

> Disabling user accounts after successive failed login attempts will
> not help protect against unauthorized access, since this is an
> offline attack that can be run at the attacker's leisure.  At a bare
> minimum, LEAP users should immediately audit and expire user
> passwords that are based on dictionary words, or common derivations.

Using a strong password policy for protection from dictionary attacks has 
always been Cisco's recommendation to customers.

/Sharad


> -Joshua Wright
> Senior Network and Security Architect
> Johnson & Wales University
> Joshua.Wright () jwu edu
> http://home.jwu.edu/jwright/
>
> pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
> fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73
>
>
> [1] "802.11 Wireless LAN Security White Paper",
> http://www.cisco.com/en/US/netsol/ns110/ns175/ns176/ns178/networking_s
> olutions_white_paper09186a00800b469f.shtml (section 5 - "Cisco LEAP
> Architecture").
>
> [2] "Weaknesses in LEAP Challenge/Response",
> http://home.jwu.edu/jwright/presentations/asleap-defcon.pdf.
>
> [3] "Dictionary Attack on Cisco LEAP",
> http://www.cisco.com/warp/public/707/cisco-sn-20030802-leap.shtml.

- -- 
Sharad Ahlawat
Cisco Product Security Incident Response Team (PSIRT)
http://www.cisco.com/go/psirt
Phone:+1 (408) 527-6087
PGP-key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC12A996C
-----BEGIN PGP SIGNATURE-----
Comment: PGP Signed by Sharad Ahlawat

iD8DBQE/gw/KGoGomMEqmWwRAh28AKDHwVebQ+tIzarsX/G4a4BlLqc1xQCg95R/
C8isa5c4ZrLUwI5Vp1ToNWc=
=Y6SB
-----END PGP SIGNATURE-----