Duo Product Security Advisory

Advisory ID: DUO-PSA-2017-001
Publication Date: 2017-03-14
Revision Date: 2017-03-14
Status: Confirmed, Fixed
Document Revision: 1

Overview

Duo has identified and fixed an issue in our cloud service which, under certain configurations, could have enabled attackers who have separately compromised a user's primary credentials to add additional unauthorized second-factor authentication devices or modify previously-registered devices for that user. The issue only affects a subset of customers who have enabled the Self-Service and Device Management Portal on their applications.

Duo resolved this issue within 24 hours of the report by deploying a fix to our cloud service that correctly enforces authentication in all cases prior to accessing the options to add/remove/change authentication devices associated with a user account.

Duo has confirmed with certainty that there were no attacks against this vulnerability on or after 2016-11-16, and has found no evidence suggesting that this vulnerability was ever exploited prior to that date.

However, in the interest of transparency, we are sharing any activities performed through the Self-Service and Device Management Portal for which the possibility of an attack cannot be completely ruled out. If you have received this notification, Duo has flagged these activity patterns for your account. Again, there is no evidence that these are malicious activities, but you may choose to review these activities and/or take further actions, as described below.

Description

Duo's cloud service contains two optional features called the Self-Service Portal and the Device Management Portal which allow users to manage their own Duo accounts and enrolled authentication devices. On applications where either feature is enabled, an attacker who also had access to a user's primary credentials could have gained access to the portion of the portal where users can manage (add/change/remove) authentication devices by initiating - but not successfully completing - a second factor authentication, then crafting and loading a special URL.

Impact

Duo has found no evidence that this vulnerability was ever exploited. A thorough analysis of detailed operational logs has confirmed that there were no attacks against this vulnerability from 16-Nov-2016 until the vulnerability was patched on 10-Feb-2017. A further analysis of less-granular operational logs prior to 16-Nov-2016 affirms that the vast majority of Duo customers and users were never impacted.

In a successful attack, an adversary who had previously compromised a user's primary credentials may have been able to add authentication devices or modify previously-registered authentication devices for that user, ultimately leading to bypass of second-factor authentication.

For a small subset of Duo users and customers, we have identified activity patterns prior to 16-Nov-2016 that could be consistent with either legitimate user activity or exploitation of this vulnerability. There is not enough information in our logs to allow us to distinguish between these two cases. After manually reviewing these log patterns, we strongly believe they are, in all cases, the result of legitimate user activity (eg. adding, modifying, removing authentication devices) and represent false positives. Nonetheless, as we value transparency in security, we are presenting the complete list of the user activity to impacted customers so that they can determine for themselves whether to perform further review and/or take proactive action (eg. re-enroll those users).

Customers who directly received this notification can use the Duo Administrator Panel to find the list of user activities for review and potential follow-up action at https://admin.duosecurity.com/psa/DUO-PSA-2017-001.

Affected Product(s)

Affected configurations include any applications that enabled the Device Management / Self-Service Portal features with Duo's service.

Solution

A fix that correctly enforces authentication in the Self-Service Portal and Device Management Portal has been deployed to Duo's cloud service. No action is necessary for customers to resolve the issue.

Customers who directly received this notification can perform further review of user activity and/or take proactive action in Duo Administrator Panel at https://admin.duosecurity.com/psa/DUO-PSA-2017-001.

Vulnerability Metrics

Vulnerability Class: CWE-592: Authentication Bypass Issues
Remotely Exploitable: Yes
Authentication Required: Partial
Severity: High
CVSSv2 Overall Score: 6.5
CVSSv2 Group Scores: Base: 7.9, Temporal: 6.5
CVSSv2 Vector: (AV:N/AC:M/Au:S/C:C/I:C/A:N/E:F/RL:OF/RC:C)

References

• CWE-592: Authentication Bypass Issues
• Duo Self-Service Portal
• Duo Device Management Portal

Timeline

2017-02-09

• Duo privately receives report of a security vulnerability in the Self-Service Portal and Device Management Portal
• Duo acknowledges receipt of report and begins investigation
• Duo confirms vulnerability exists
• Duo begins development of a patch

2017-02-10

• Duo confirms the vulnerability with the reporting party
• Duo commits and tests a fix
• Fix is deployed to all Duo cloud deployments, closing off the vulnerability for all customers
• Duo begins retrospective evaluation for all possible indicators that the vulnerability might have been exploited

2017-02-14

• Duo confirms via retrospective analysis that no attacks have occurred in previous 90 days, begins search back toward origin of vulnerability in March 2014

2017-02-22

• Duo concludes retrospective evaluation for all possible indicators that the vulnerability might have been exploited
• Duo begins developing functionality to allow customers to access information about flagged user activities and, if desired, disable logins and require re-enrollment for these users

2017-03-06

• Duo completes development of remediation functionality, and begins testing/deployment

2017-03-13

• Deployment of remediation functionality completed

2017-03-14

• PSA distributed to potentially impacted customers

Credits/Contact

Technical questions regarding this issue should be sent to support@duosecurity.com and reference "DUO-PSA-2017-001" in the subject, or to your Customer Success Manager, if appropriate.

Duo Security would like to thank Brian W. Gray of Carnegie Mellon University for reporting this issue and the Carnegie Mellon Identity Services team for their assistance throughout.