MS-CHAP is the Microsoft version of the Challenge-Handshake Authentication Protocol and is described in RFC2759. A recent presentation by Moxie Marlinspike  has revealed a breakthrough which reduces the security of MS-CHAPv2 to a single DES encryption (2^56) regardless of the password length. Today, we published Security Advisory 2743314 with recommendations to mitigate the effects of this issue.
Any potential attack would require a man in the middle situation in which a third party can get all the traffic between the client and authenticator during the authentication.
Without going into much detail about the MS-CHAPv2 protocol, we will just discuss the part that would be affected by this type of attack: the challenge and response authentication. This is how the client responds to the challenge sent by the authenticator:
C=SHA1(CS,CC,UNAME)P=MD4(PASSWORD)K1|K2|K3=P|5 byte of 0R=DES(K1,C)|DES(K2,C)|DES(K3,C)
There are several issues in this algorithm that combined together can result in the success of this type of attack.
First, all elements of the challenge and response beside the MD4 of the password are sent in clear over the wire or could be easily calculated from items that are sent over the wire. This means that for a man in the middle attacker, the gain of the password hash will be enough to re-authenticate.
Secondly, the key derivation is particularly weak. Padding with 5 bytes of zero means that the last DES key has only a key space of 2^16.
Lastly, the same plaintext is encrypted with K1 and K2, which means a single key search of 2^56 is enough to break both K1 and K2.
Once the attacker has K1, K2 and K3 he has the MD4 of the password which is enough to re-authenticate.
- Ali Rahbar, MSRC Engineering