CVE-2014-4364

Vulnerability

The 802.1X subsystem in Apple iOS before 8 and Apple TV before 7 accepts LEAP (Lightweight Extensible Authentication Protocol) authentication offered by a Wi-Fi access point without requiring strong authentication methods [1][2][3]. Affected versions: iOS versions prior to 8 (iPhone 4s and later, iPod touch 5th generation and later, iPad 2 and later) and Apple TV versions prior to 7 (3rd generation and later). LEAP uses MS-CHAPv1, which is vulnerable to offline dictionary attacks.

Exploitation

An attacker must be within wireless range to set up a rogue Wi-Fi access point that connects to the victim's target network. The rogue AP offers LEAP authentication; when the victim device connects, the attacker captures the MS-CHAPv1 challenge-response handshake. The attacker then performs a cryptographic attack against the MS-CHAPv1 hash to recover the user's domain credentials (username and password). No prior authentication or user interaction beyond connecting to the rogue AP is required [1][2][3].

Impact

Successful exploitation allows the attacker to derive the victim's Wi-Fi credentials (often domain credentials). With those credentials, the attacker can authenticate to the intended legitimate access point, potentially gaining unauthorized network access, intercepting traffic, or further compromising the network. This impacts confidentiality of network communications and credentials [1][2][3].

Mitigation

Apple iOS 8 [1] and Apple TV 7 [3] address the issue by disabling LEAP by default or removing support for LEAP entirely. For iOS, the fix is included in iOS 8 (released September 17, 2014). For Apple TV, the fix is in Apple TV software version 7 (also released September 17, 2014). No workaround is available for unpatched devices; users should update to the latest software versions. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.