Duo Product Security Advisory

Advisory ID: DUO-PSA-2018-001
Publication Date: 2018-03-06
Revision Date: 2018-03-06
Status: Confirmed, Fixed
Document Revision: 1

Overview

Duo has identified and fixed an issue with our public documentation on the Duo Unix integration. The suggested Pluggable Authentication Module (PAM) stack for the AIX operating system contained a logic bug that could allow for attackers to bypass secondary authentication. An attacker that had separately compromised a user's primary authentication credentials could then gain access without secondary authentication.

This issue is not a software flaw in Duo Unix, and does not require Duo Unix software updates. Applying the relevant configuration changes should be sufficient to remediate this issue.

Description

To protect the 'su' and 'sshd' Unix programs, Duo previously (until 2018-02-26) recommended including the following PAM configuration for the AIX operating system:

auth requisite pam_aix
auth sufficient /usr/lib/security/pam_duo.so

This would attempt primary authentication via the pam_aix PAM module and fail immediately if that was unsuccessful. Then, if primary authentication was successful, it would attempt 2FA via the pam_duo module.

The error is that the 'sufficient' PAM control flag does not return an authentication failure if that particular PAM module fails. Meaning, if the primary authentication was successful then PAM would be primed with a 'success' result, and would return that regardless of what pam_duo returned.

Impact

Configuring Duo Unix with the previously mentioned faulty PAM configuration causes Duo Unix to not enforce 2FA. Administrators should update their PAM configuration as soon as possible.

Affected Product(s)

Duo Unix, when configured for AIX systems following Duo's documented PAM configuration prior to 2018-02-26.

Solution

Changing the PAM control flag to 'required' will fix the issue:

auth requisite pam_aix
auth required /usr/lib/security/pam_duo.so

The complete recommended PAM configuration can be found here: https://duo.com/docs/duounix#pam-examples

Note that no changes to Duo Unix itself are required.

Vulnerability Metrics

Vulnerability Class: CWE-592: Authentication Bypass Issues
Remotely Exploitable: [Yes]
Authentication Required: [Partial]
Severity: [High]
CVSSv2 Overall Score: 5.7
CVSSv2 Group Scores: Base: 6.5, Temporal: 5.7
CVSSv2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:H/RL:OF/RC:C

Timeline

2018-02-23

• Duo identifies a potential documentation error for Duo Unix on AIX
• Duo confirms that the posted documentation won't properly secure PAM on AIX

2018-02-26

• Duo begins testing to understand root cause of PAM configuration issue
• Duo identifies an appropriate fix and performs additional testing
• duo.com is updated with fixed documentation to prevent new PAM issues

2018-03-06

• PSA is distributed to potentially impacted customers using Duo Unix on AIX
  
  

References

==========

• CWE-592: Authentication Bypass Issues - https://cwe.mitre.org/data/definitions/592.html
• Duo Unix Documentation - https://duo.com/docs/duounix
  
  

Credits/Contact

===============

If you have questions regarding this issue, please contact us at:

• support@duosecurity.com, referencing "DUO-PSA-2018-001" in the subject
• our phone line at +1(844)386.6748. International customers can find our toll-free numbers here: https://duo.com/about/contact.

Or, reach out to your Customer Success Manager, as appropriate.