Advisory ID: DUO-PSA-2014-002
Publication Date: 2014-01-09
Status: Confirmed, Unfixed
Document Revision: 3
Duo Security has identified an issue in which it is possible to bypass second factor authentication of Remote Desktop Web Access and Remote Desktop Gateway integrations when they are installed on Windows Server 2012 (or newer).
Under normal operation, both of these integrations work to add two-factor authentication by restricting connections through Remote Desktop Gateway:
Duo’s integrations specifically protect the RPC-over-HTTPS transport used by RD Gateway on Windows Server 2008 R2. However, Windows Server 2012 added two new transport mechanisms that Duo’s integration does not currently protect. If a user connects to Windows Server 2012 using version 8.0 (or newer) of Microsoft's RDP client - e.g. from a Windows 8 client - then two-factor authentication will not be enforced.
(For more details on the circumstances under which the newer RD Gateway transport mechanisms are used, see What’s new in Windows Server 2012 Remote Desktop Gateway) when they are installed on Windows Server 2012 (or newer).
A user with valid primary authentication credentials (username and password) may be able to bypass the second factor of authentication.
As a temporary workaround, you can force all clients connecting to your RD Gateway server to use the RPC-over-HTTPS transport by disabling the UDP transport and configuring the native HTTPS transport to listen on a different (blocked) port:
Duo Security is currently working on an update to these integrations at the end of March 2014 that will cover these new transport mechanisms, to ensure two-factor authentication is enforced on all logins.
Vulnerability Class: Authentication Bypass Issue (CWE-592)
Remotely Exploitable: Yes
Authentication Required: Yes/Partial (first factor required; second factor bypassed)
Severity: High
CVSSv2 Overall Score: 7.2
CVSSv2 Group Scores: Base: 4.9, Temporal: 4.7, Environmental: 7.2
CVSSv2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:W/RC:C/CDP:LM/TD:ND/CR:H/IR:H/AR:ND
Feedback regarding this issue should be sent to security@duosecurity.com and reference "DUO-PSA-2014-002" in the subject.