Duo Product Security Advisory

Advisory ID: DUO-PSA-2018-004
Publication Date: 2018-12-18
Revision Date: 2018-12-18
Status: Confirmed, Fixed
Document Revision: 1

Overview

Duo has identified and fixed an issue with the Duo Access Gateway (DAG). This issue could have allowed for data exposure on the DAG's filesystem for certain limited use cases as described below. Specifically, a user's primary authentication credentials could have been temporarily stored on the DAG's server -- not externally or accessible by Duo. This issue was discovered internally while working on unrelated product features. Upon discovery, Duo developed a new version of DAG that patches the issue and deletes any potentially exposed information from the filesystem.

Description

A Duo Security employee identified a bug resulting in the exposure of user's primary authentication credentials. This exposure was limited to administrators with access to the DAG's filesystem. This bug, which affected both the Linux (Docker) and Windows versions of DAG, was further limited to deployments of the DAG that meet the following criteria: Office365 was the SAML application being authenticated to, the Basic Authentication setting was set to disabled, and the DAG was running version 1.5.0 - 1.5.5, inclusively.

Impact

This issue may have resulted in exposure of users' primary authentication credentials on the DAG's filesystem. This information could have been further exposed via backup or replication.

Duo does not have the ability to remotely access these files as they are held within the customer's environment. Moreover, these credentials were not exposed outside of the users' organizations.

Affected Product(s)

Duo Access Gateway (DAG) 1.5.0 - 1.5.5

Solution

In order to resolve this issue, customers must update their DAG deployments to version 1.5.6. This will patch the issue and delete any potentially exposed information from the filesystem.

Administrators should also consider locations this information may have been copied to -- for example in a system backup or a failover machine. Due to the potential for user credential exposure on the DAG's filesystem, organizations that believe this information may have been duplicated or accessed should consider having users reset their passwords out of caution.

Vulnerability Metrics

Vulnerability Class: CWE-313: Cleartext Storage in a File or on Disk
Remotely Exploitable: [No]
Authentication Required: [Partial]
Severity: [Low]
CVSSv2 Overall Score: 0.9
CVSSv2 Group Scores: Base: 3.7, Temporal: 2.7
CVSSv2 Vector: AV:L/AC:H/Au:M/C:C/I:N/A:N/E:U/RL:OF/RC:C/CDP:L/TD:L/CR:M/IR:ND/AR:ND

Timeline

2018-12-10

• 11:45 ET - Duo identifies a bug that could store user credentials on the DAG's filesystem.
• 14:15 ET - Duo narrows the scope of the issue and determines a remediation path.

2018-12-11

• Duo compiles a list of potentially affected customers and begins patch creation.

2018-12-12

• Duo verifies a fix and begins the build & test process for a new DAG release.

2018-12-14

• Duo completes the build & quality assurance testing for a new DAG release with security fixes.

2018-12-18

• Duo distributes the PSA to potentially affected customers and releases DAG version 1.5.6.
  
  

References

==========

• CWE-313: Cleartext Storage in a File or on Disk - https://cwe.mitre.org/data/definitions/313.html
  
  

Credits/Contact

===============

If you have questions regarding this issue, please contact us at:

• support@duosecurity.com, referencing "DUO-PSA-2018-004" in the subject
• our phone line at +1(844)386.6748. International customers can find our toll-free numbers here: https://duo.com/about/contact.