Duo Product Security Advisory
Advisory ID: DUO-PSA-2014-002
Publication Date: 2014-01-09
Status: Confirmed, Unfixed
Document Revision: 3
Overview
Duo Security has identified an issue in which it is possible to bypass second factor authentication of Remote Desktop Web Access and Remote Desktop Gateway integrations when they are installed on Windows Server 2012 (or newer).
Description
Under normal operation, both of these integrations work to add two-factor authentication by restricting connections through Remote Desktop Gateway:
- The "RD Web Access integration" requires users to first complete 2-factor authentication through RD Web Access before permitting them to connect through RD Gateway
- The "RD Gateway integration" initiates an out-of-band challenge (e.g. via Duo Push or a phone call) at the point when a user initiates a connection to RD Gateway
Duo’s integrations specifically protect the RPC-over-HTTPS transport used by RD Gateway on Windows Server 2008 R2. However, Windows Server 2012 added two new transport mechanisms that Duo’s integration does not currently protect. If a user connects to Windows Server 2012 using version 8.0 (or newer) of Microsoft's RDP client - e.g. from a Windows 8 client - then two-factor authentication will not be enforced.
(For more details on the circumstances under which the newer RD Gateway transport mechanisms are used, see What’s new in Windows Server 2012 Remote Desktop Gateway) when they are installed on Windows Server 2012 (or newer).
Impact
A user with valid primary authentication credentials (username and password) may be able to bypass the second factor of authentication.
Affected Product(s)
- Duo "Remote Desktop Web Access" integration 1.0.2 and below
- Duo "Remote Desktop Gateway" integration 1.0.2 and below
Workaround
As a temporary workaround, you can force all clients connecting to your RD Gateway server to use the RPC-over-HTTPS transport by disabling the UDP transport and configuring the native HTTPS transport to listen on a different (blocked) port:
- Open the RD Gateway Manager
- Right-click on your server and select "Properties"
- Select the "Transport Settings" tab
- Uncheck "Enable UDP transport"
- Change the "HTTPS Port" to a different, nonstandard port number (e.g. 8443)
- Click OK, confirm the change, and exit the RD Gateway Manager
- Open the IIS Manager
- Expand "Sites" beneath your server in the left pane
- Right-click on the "Default Web Site", and click "Edit Bindings"
- Click "Add..."
- Set "Type" to "https" and "Port" to 443
- Select the correct SSL Certificate in the drop-down list
- Click "OK", and close the IIS Manager
- Run "iisreset" in an administrator command prompt
- Configure your firewall to block traffic to the specified RD Gateway port (e.g. 8443) on your server.
Solution
Duo Security is currently working on an update to these integrations at the end of March 2014 that will cover these new transport mechanisms, to ensure two-factor authentication is enforced on all logins.
Vulnerability Metrics
Vulnerability Class: Authentication Bypass Issue (CWE-592)
Remotely Exploitable: Yes
Authentication Required: Yes/Partial (first factor required; second factor bypassed)
Severity: High
CVSSv2 Overall Score: 7.2
CVSSv2 Group Scores: Base: 4.9, Temporal: 4.7, Environmental: 7.2
CVSSv2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:W/RC:C/CDP:LM/TD:ND/CR:H/IR:H/AR:ND
References
- What's new in Windows Server 2012 Remote Desktop Gateway - https://techcommunity.microsoft.com/t5/security-compliance-and-identity/what-8217-s-new-in-windows-server-2012-remote-desktop-gateway/ba-p/247611
- CWE-592: Authentication Bypass Issues - https://cwe.mitre.org/data/definitions/592.html
Timeline
2013-12-23
- Customer reported possible RDS 2FA bypass to Duo Security
2013-12-27
- Duo Security acknowledges receipt of report, begins investigation
2014-01-02
- Duo Security confirms issue, continues investigation
2014-01-06
- Duo Security schedules patch/update, creates temporary workaround
2014-01-13
- Advisory is drafted, sent to affected Duo Security Business and Enterprise customers
2014-02-04
- Advisory is sent to affected Duo Security Personal customers
2014-02-12
- Advisory is updated (rev3) to reflect change in timeline for fix
Credits/Contact
Feedback regarding this issue should be sent to security@duosecurity.com and reference "DUO-PSA-2014-002" in the subject.