[原文]The Cisco LEAP challenge/response authentication mechanism uses passwords in a way that is susceptible to dictionary attacks, which makes it easier for remote attackers to gain privileges via brute force password guessing attacks.
Cisco has announced the EAP-FAST protocol as a secure replacement for LEAP. Users are advised to migrate to this or other protocols such as PEAP or EAP-TLS. More information can be found in the referenced vendor advisory (Dictionary Attack on Cisco LEAP Vulnerability).
It has been reported that Cisco LEAP (Lightweight Extensible
Authentication Protocol) is prone to a password disclosure weakness that may allow a remote user to steal user passwords. The issue may be exploited out by brute forcing user passwords using dictionary attacks.
Successful exploitation of this weakness may allow a remote attacker to steal authentication information, potentially allowing for unauthorized network access.
Cisco LEAP contains a flaw that may allow a malicious user to recover user accounts and passwords. Cisco LEAP is a modified implementation of MS-CHAPv2, which is vulnerable to dictionary attacks. It is possible that the flaw may allow offline brute force recovery of usernames and passwords resulting in a loss of confidentiality.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.