[nsp] UPDATE: Cisco Security Notice: Dictionary Attack on Cisco LEAP Vulnerability

Cisco Systems Product Security Incident Response Team psirt at cisco.com
Mon Apr 12 13:59:18 EDT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

      Cisco Security Notice: Dictionary Attack on Cisco LEAP Vulnerability

Revision 2.0

  Last Updated 2004 April 12 1600 UTC (GMT)

  For Public Release 2003 August 03 1600 UTC (GMT)

     ----------------------------------------------------------------------

Contents

     Summary
     Details
     Workarounds
     Status of This Notice: Final
     Revision History
     Cisco Security Procedures
     Related Information

     ----------------------------------------------------------------------

Summary

   Cisco LEAP is a mutual authentication algorithm that supports dynamic
   derivation of session keys. With Cisco LEAP, mutual authentication relies
   on a shared secret, the user's logon password-which is known by the client
   and the network, and is used to respond to challenges between the user and
   the Remote Authentication Dial-In User Service (RADIUS) server.

   As with most password-based authentication algorithms, Cisco LEAP is
   vulnerable to dictionary attacks.

   Cisco has now announced the availability of EAP-Flexible Authentication
   via Secure Tunneling (EAP-FAST) for users who wish to deploy an 802.1X
   Extensible Authentication Protocol (EAP) type that does not require
   digital certificates and is not vulnerable to dictionary attacks.

   This notice will be posted at
   http://www.cisco.com/warp/public/707/cisco-sn-20030802-leap.shtml.

Details

   At DEFCON, on August 3, 2003, a presentation by Joshua Wright explored
   mechanisms that could make it easier for someone to write a tool to launch
   an offline dictionary attack on password-based authentications that
   leverage Microsoft MS-CHAP, such as Cisco LEAP. The source code of the
   dictionary attack tool called "asleap" was released on April 6, 2004.

   During a dictionary attack, variations of passwords are used to compromise
   a user's authentication credentials. Most password-based authentication
   algorithms are vulnerable to dictionary attacks in the absence of a strong
   password policy.

   Cisco developed EAP-FAST for users who wish to deploy an 802.1X EAP type
   that does not require digital certificates and is not vulnerable to
   dictionary attacks.

Workarounds

   Creating a strong password policy is the most effective way to mitigate
   against dictionary attacks. This includes using strong passwords and
   periodically expiring passwords. Cisco recommends that customers review
   their security policies and incorporate the best practices outlined in the
   802.11 Wireless LAN Security White Paper -
   http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wswpf_wp.htm
   (refer to section 5.2 "Cisco LEAP Deployment").

   Users could migrate to another EAP type like EAP-FAST, PEAP or EAP-TLS
   whose authentication methods are not susceptible to dictionary attacks.

     * EAP-FAST is an authentication protocol that creates a secure tunnel
       without using certificates.
     * PEAP is a hybrid authentication protocol that creates a secured TLS
       tunnel between the WLAN user and the RADIUS server to authenticate the
       user to the network. This requires certificate and public key
       infrastructure (PKI) management on both RADIUS servers and WLAN
       clients.
     * EAP-TLS uses pre-issued digital certificates to authenticate a user to
       the network. This requires certificate and PKI management on both
       RADIUS servers and WLAN clients.

Status of This Notice: Final

   This is a final notice. Although Cisco cannot guarantee the accuracy of
   all statements in this notice, all of the facts have been checked to the
   best of our ability. Cisco does not anticipate issuing updated versions of
   this notice unless there is some material change in the facts. Should
   there be a significant change in the facts, Cisco may update this notice.

   A stand-alone copy or paraphrase of the text of this security notice that
   omits the distribution URL in the following section is an uncontrolled
   copy, and may lack important information or contain factual errors.

Revision History

   +------------------------------------------+
   |Revision 2.0|2004-April-12 |Announcing    |
   |            |              |EAP-FAST.     |
   |------------+--------------+--------------|
   |Revision 1.0|2003-August-02|Initial       |
   |            |              |release.      |
   +------------------------------------------+

Cisco Security Procedures

   Complete information on reporting security vulnerabilities in Cisco
   products, obtaining assistance with security incidents, and registering to
   receive security information from Cisco, is available on Cisco's worldwide
   website at
   http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
   includes instructions for press inquiries regarding Cisco security
   notices. All Cisco security advisories are available at
   http://www.cisco.com/go/psirt.

     ----------------------------------------------------------------------

Related Information

     * EAP-FAST IETF Draft -
       http://www.ietf.org/internet-drafts/draft-cam-winget-eap-fast-00.txt
     * EAP-FAST FAQ -
       http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a00802030dc.shtml.
     * Read more about Cisco Response to Dictionary Attacks on Cisco LEAP -
       http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin09186a00801cc901.html.
     * SAFE Architecture White Paper on Wireless LAN Security (first
       published in December 2001) -
       http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safwl_wp.htm
       (see the section on "Standard EAP with TKIP WLAN Design").
     * Information on other authentication types such as Protected Extensible
       Authentication Protocol (PEAP), Extensible Authentication Protocol
       Transport Layer Security (EAP/TLS), and their deployment information -
       http://www.cisco.com/warp/public/707/cisco-sn-20030802-leap.shtml.

     ----------------------------------------------------------------------

   All contents are Copyright (c) 1992-2004 Cisco Systems, Inc. All rights
   reserved. Important Notices and Privacy Statement.

   --------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Comment: PGP Signed by Sharad Ahlawat, Cisco Systems PSIRT

iD8DBQFAethGezGozzK2tZARAnwuAKC2AOnLAg9KOXwcBMfvILUs8x3AsQCgoo3Q
jSKbdpyoDfPpaj0fcf2o7Us=
=ymYl
-----END PGP SIGNATURE-----



More information about the cisco-nsp mailing list