Skip navigation

Duo Product Security Advisory

Advisory ID: DUO-PSA-2014-001
Publication Date: 2014-01-08
Status: Confirmed, Fixed
Document Revision: 2

Overview

Older versions of the Duo Security Outlook Web Access (OWA) integration may be vulnerable to a bypass of the second authentication factor.

Description

Under normal operation, a user will be presented with the Duo interstitial page, e.g. a URL such as https://mail.company.com/owa/duo.aspx. By appending characters to the end of the Duo URL when sending the request (e.g. https://mail.company.com/owa/duo.aspxabcd1234), the user will subsequently bypass the second factor of authentication and access protected OWA resources (eg. their OWA mailbox).

Impact

A user with valid primary authentication credentials (username and password) may be able to bypass the second factor of authentication.

Affected Product(s)

Duo Security OWA Integration version 1.0.7.0 and below. Customers can check the current installed version of OWA integration by opening up the Windows Control Panel, selecting Programs, and Programs and Features, and looking under the 'Version' column.

Workaround

For servers running IIS 7-8.5, the URL Rewrite module can be used to restrict requests that would otherwise bypass the Duo OWA integration. For example, a request going to https://mail.company.com/owa/duo.aspxabcd1234 could be rewritten/redirected to divert the request to the correct URL of https://mail.company.com/owa/duo.aspx. Alternately, the malformed request could be denied altogether. In either case, the Duo/2FA-specific URLs against which filters should be applied are:

  • /owa/duo.aspx
  • /owa/auth.owa
  • /owa/lang.owa

Solution

Exchange 2010 and 2013 Organizations: Install the Duo Security OWA Integration version 1.1.1 or later on your Client Access Servers. The latest release can be downloaded from https://dl.duosecurity.com/duo-owa-latest.msi. See https://duo.com/docs/owa for installation instructions.

Exchange 2007 Organizations: Install the Duo Security OWA Integration for Exchange 2007 version 1.0.8 on your Client Access Servers. The latest release can be downloaded from https://dl.duosecurity.com/duo-owa-latest-2007.msi. See https://duo.com/docs/owa for installation instructions.

Vulnerability Metrics

Vulnerability Class: Authentication Bypass Issue (CWE-592), Authentication Bypass by Alternate Name (CWE-289)
Remotely Exploitable: Yes
Authentication Required: Yes/Partial (first factor required; second factor bypassed)
Severity: High
CVSSv2 Overall Score: 7.1
CVSSv2 Group Scores: Base: 5.5, Temporal: 4.8, Environmental: 7.1
**CVSSv2 Vector:**AV:N/AC:L/Au:S/C:P/I:P/A:N/E:H/RL:O/RC:C/CDP:LM/TD:ND/CR:H/IR:H/AR:ND

References

Timeline

2014-01-08

  • Duo Security is notified of the vulnerability by Facebook
  • Duo Security responds to Facebook to ascertain additional information
  • Duo Security reproduces the issue, confirms vulnerability
  • Duo Security addresses the vulnerability in the affected component; provides status update to Facebook on reproduction and availability of fixed version
  • Advisory is drafted, shared with potentially affected Duo Security Business and Enterprise customers

2014-02-04

  • Advisory is shared with potentially affected Duo Security Personal customers

Credits/Contact

Duo Security would like to thank Soorya Tanikella of Facebook, Inc. for discovering and reporting this issue.

Feedback regarding this issue should be sent to security@duosecurity.com and reference "DUO-PSA-2014-001" in the subject.