Advisory ID: DUO-PSA-2014-001
Publication Date: 2014-01-08
Status: Confirmed, Fixed
Document Revision: 2
Older versions of the Duo Security Outlook Web Access (OWA) integration may be vulnerable to a bypass of the second authentication factor.
Under normal operation, a user will be presented with the Duo interstitial page, e.g. a URL such as https://mail.company.com/owa/duo.aspx. By appending characters to the end of the Duo URL when sending the request (e.g. https://mail.company.com/owa/duo.aspxabcd1234), the user will subsequently bypass the second factor of authentication and access protected OWA resources (eg. their OWA mailbox).
A user with valid primary authentication credentials (username and password) may be able to bypass the second factor of authentication.
Duo Security OWA Integration version 220.127.116.11 and below. Customers can check the current installed version of OWA integration by opening up the Windows Control Panel, selecting Programs, and Programs and Features, and looking under the 'Version' column.
For servers running IIS 7-8.5, the URL Rewrite module can be used to restrict requests that would otherwise bypass the Duo OWA integration. For example, a request going to https://mail.company.com/owa/duo.aspxabcd1234 could be rewritten/redirected to divert the request to the correct URL of https://mail.company.com/owa/duo.aspx. Alternately, the malformed request could be denied altogether. In either case, the Duo/2FA-specific URLs against which filters should be applied are:
Exchange 2010 and 2013 Organizations: Install the Duo Security OWA Integration version 1.1.1 or later on your Client Access Servers. The latest release can be downloaded from https://dl.duosecurity.com/duo-owa-latest.msi. See https://www.duosecurity.com/docs/owa for installation instructions.
Exchange 2007 Organizations: Install the Duo Security OWA Integration for Exchange 2007 version 1.0.8 on your Client Access Servers. The latest release can be downloaded from https://dl.duosecurity.com/duo-owa-latest-2007.msi. See https://www.duosecurity.com/docs/owa-2007 for installation instructions.
Vulnerability Class: Authentication Bypass Issue (CWE-592), Authentication Bypass by Alternate Name (CWE-289)
Remotely Exploitable: Yes
Authentication Required: Yes/Partial (first factor required; second factor bypassed)
CVSSv2 Overall Score: 7.1
CVSSv2 Group Scores: Base: 5.5, Temporal: 4.8, Environmental: 7.1
Duo Security would like to thank Soorya Tanikella of Facebook, Inc. for discovering and reporting
Feedback regarding this issue should be sent to firstname.lastname@example.org and reference "DUO-PSA-2014-001" in the subject.