On Vulnerabilities Disclosed in Microsoft Exchange Web Services
On November 2nd, researchers from Black Hills Information Security disclosed a technique for bypassing multi-factor authentication on Outlook Web Access. To be clear, this is not a vulnerability or defect in Duo’s service, but rather, it is a defect in Microsoft Exchange Web Services. Customers using Duo’s OWA integration should be sure to follow recommendations here and here to ensure they are not using an unsafe configuration of OWA.
The researchers noted that many MFA products - including Duo - add strong authentication to OWA's web-based interface, but not to the APIs and protocols used to service "thick client" mail applications (e.g. Microsoft Outlook, Apple Mail, etc.) While their discussion focused on EWS, their findings would generally apply to RPC-over-HTTPS and ActiveSync as well.
Due to the nature of these thick-client protocols, it has historically not been feasible to protect them with 2FA. This has long been a documented limitation of Duo's OWA integration (e.g. on our OWA FAQs - in full disclosure, we have updated this doc to clarify the security impact of this limitation in response to the BHIS blog post). In general, we would recommend that customers with on-premise deployments of Exchange Server / OWA avoid exposing those endpoints to the public internet if at all possible.
However, in Office 365, Microsoft has added a new mechanism called "Modern Authentication", which requires clients to authenticate using the Azure AD Authentication Library (ADAL). When enabled, Modern Authentication can be used to require multi-factor authentication for all access to Office 365 e-mail, including via thick-client protocols - although doing so will entirely disable e-mail access from legacy e-mail clients that do not support ADAL.
Configuring Office 365 with Duo - whether via Duo's AD FS integration or the Duo Access Gateway - requires Modern Authentication, and does by default prevent the attack described by BHIS. For more details on how Duo works with Modern Authentication and ADAL, see https://help.duo.com/s/article/3174?language=en_US
We want to thank Beau Bullock and the team from Black Hills Information Security for sharing their findings with the community and for updating their disclosure to further clarify that this was a problem with Microsoft EWS, and not with Duo Security’s products and services.
We strongly encourage security companies and researchers to contact our Security team directly at firstname.lastname@example.org with any concerns that might impact the security of our customers, products, and services.