Duo Security’s WordPress Plugin Updated to Address Multisite Vulnerability
As we wrote about in an earlier blog, WordPress Multisite vulnerability in two-factor authentication plugins, we discovered a vulnerability that affected our duo_wordpress plugin. The vulnerability may have allowed a user of one site of a multisite WordPress deployment to bypass the second factor of authentication of another site on the same network.
We discovered the vulnerability while testing authentication redirects for multisite deployments; it affected only multisite deployments wherein the plugin is enabled on an individual per-site basis.
Normal WordPress deployments or multisite deployments with the plugin enabled globally were not affected.
While we originally stated we may need to work with WordPress to make core modifications to their plugin architecture in order to fix the issue, we were able to find a fix using the current WordPress APIs, as we explain below.
Duo/WordPress admins/users are advised to download the most recent plugin version 2.2 that fixes the multisite bypass issue.
Previously, Duo Security was involved only after primary authentication to verify a user’s identity via secondary authentication, while allowing WordPress to handle all permissions with their cookies after. Now, Duo Security is involved every step of the way to completely ensure that users cannot bypass two-factor via another site on the same WordPress network.
What do we mean by this? When a user successfully completes secondary authentication, we now set an additional Duo authentication cookie. Then, for every request a user sends to a Duo-protected WordPress site, we check to ensure they have a valid Duo cookie (in addition to the normal WordPress authentication cookies).
If the user does not have a valid Duo cookie - e.g. immediately following primary authentication, or after switching from a site for which the Duo plugin is not enabled - we prompt them to complete secondary authentication.
When researching this issue, we personally contacted other authentication vendors that responded to confirm they had the same problem with their plugins, revealing that the issue was not limited to our specific plugin. We encourage anyone concerned to check out our newly updated plugin, which can be found in the WordPress Plugin Directory.
Reach Out to Us
As always, here at Duo Security, we share our source code integrations with the security community at large, and welcome any questions about our product and team.
We also welcome any bug reports, feature requests, etc. from the public - you can report them to us using the github issue tracker or by contacting our support team. (Please report security issues directly to us at firstname.lastname@example.org).