Duo Product Security Advisory

Advisory ID: DUO-PSA-2014-002
Publication Date: 2014-01-09
Status: Confirmed, Unfixed
Document Revision: 3

Overview

Duo Security has identified an issue in which it is possible to bypass second factor authentication of Remote Desktop Web Access and Remote Desktop Gateway integrations when they are installed on Windows Server 2012 (or newer).

Description

Under normal operation, both of these integrations work to add two-factor authentication by restricting connections through Remote Desktop Gateway:

• The "RD Web Access integration" requires users to first complete 2-factor authentication through RD Web Access before permitting them to connect through RD Gateway
• The "RD Gateway integration" initiates an out-of-band challenge (e.g. via Duo Push or a phone call) at the point when a user initiates a connection to RD Gateway

Duo’s integrations specifically protect the RPC-over-HTTPS transport used by RD Gateway on Windows Server 2008 R2. However, Windows Server 2012 added two new transport mechanisms that Duo’s integration does not currently protect. If a user connects to Windows Server 2012 using version 8.0 (or newer) of Microsoft's RDP client - e.g. from a Windows 8 client - then two-factor authentication will not be enforced.

(For more details on the circumstances under which the newer RD Gateway transport mechanisms are used, see What’s new in Windows Server 2012 Remote Desktop Gateway) when they are installed on Windows Server 2012 (or newer).

Impact

A user with valid primary authentication credentials (username and password) may be able to bypass the second factor of authentication.

Affected Product(s)

• Duo "Remote Desktop Web Access" integration 1.0.2 and below
• Duo "Remote Desktop Gateway" integration 1.0.2 and below

Workaround

As a temporary workaround, you can force all clients connecting to your RD Gateway server to use the RPC-over-HTTPS transport by disabling the UDP transport and configuring the native HTTPS transport to listen on a different (blocked) port:

1. Open the RD Gateway Manager
2. Right-click on your server and select "Properties"
3. Select the "Transport Settings" tab
4. Uncheck "Enable UDP transport"
5. Change the "HTTPS Port" to a different, nonstandard port number (e.g. 8443)
6. Click OK, confirm the change, and exit the RD Gateway Manager
7. Open the IIS Manager
8. Expand "Sites" beneath your server in the left pane
9. Right-click on the "Default Web Site", and click "Edit Bindings"
10. Click "Add..."
11. Set "Type" to "https" and "Port" to 443
12. Select the correct SSL Certificate in the drop-down list
13. Click "OK", and close the IIS Manager
14. Run "iisreset" in an administrator command prompt
15. Configure your firewall to block traffic to the specified RD Gateway port (e.g. 8443) on your server.

Solution

Duo Security is currently working on an update to these integrations at the end of March 2014 that will cover these new transport mechanisms, to ensure two-factor authentication is enforced on all logins.

Vulnerability Metrics

Vulnerability Class: Authentication Bypass Issue (CWE-592)
Remotely Exploitable: Yes
Authentication Required: Yes/Partial (first factor required; second factor bypassed)
Severity: High
CVSSv2 Overall Score: 7.2
CVSSv2 Group Scores: Base: 4.9, Temporal: 4.7, Environmental: 7.2
CVSSv2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:W/RC:C/CDP:LM/TD:ND/CR:H/IR:H/AR:ND

References

• What's new in Windows Server 2012 Remote Desktop Gateway - https://techcommunity.microsoft.com/t5/security-compliance-and-identity/what-8217-s-new-in-windows-server-2012-remote-desktop-gateway/ba-p/247611
• CWE-592: Authentication Bypass Issues - https://cwe.mitre.org/data/definitions/592.html

Timeline

2013-12-23

• Customer reported possible RDS 2FA bypass to Duo Security

2013-12-27

• Duo Security acknowledges receipt of report, begins investigation

2014-01-02

• Duo Security confirms issue, continues investigation

2014-01-06

• Duo Security schedules patch/update, creates temporary workaround

2014-01-13

• Advisory is drafted, sent to affected Duo Security Business and Enterprise customers

2014-02-04

• Advisory is sent to affected Duo Security Personal customers

2014-02-12

• Advisory is updated (rev3) to reflect change in timeline for fix

Credits/Contact

Feedback regarding this issue should be sent to security@duosecurity.com and reference "DUO-PSA-2014-002" in the subject.