Advisory ID: DUO-PSA-2014-005
Publication Date: 2014-05-12
Revision Date: 2014-05-27
Status: Confirmed, Fixed
Document Revision: 3
Duo Security has identified an issue in its Credential-Provider based Remote Desktop Protocol (RDP) integrations (e.g. those installed on Windows versions from Vista / Server 2008) which may allow a user with an expired password to - upon completing primary and secondary authentication - switch to another user account using that account's primary credentials, skipping secondary authentication for that account.
The RDP integration works to add two-factor authentication to Windows logins, both Remote Desktop and (optionally) the local console. When a user has provided valid credentials (username and password), the integration presents a second-factor authentication dialog for the provided username. Under normal operation, when the second-factor authentication is successful, the user is logged on.
However, if the user's password has expired, then rather than logging the user in, the system will instead present a prompt requesting a password change. At this prompt, the user may type in a new (different) username and corresponding password - and if these credentials are valid, the user can proceed to log in with (and reset the password for) the new username without any corresponding second-factor authentication challenge for the new username.
A valid user (with a valid username/password and secondary authenticator) may, if his/her password expires, be able to login to another user account using only that account's username/password - i.e. without secondary authentication - after completing primary and secondary authentication for his/her own account.
Install the latest version of the Duo Security RDP Integration (currently, version 1.1.7) on your host. The latest version can be downloaded at https://dl.duosecurity.com/duo-win-login-latest.exe
Vulnerability Class: Privilege Context Switching Error (CWE-270)
Remotely Exploitable: No
Authentication Required: Yes
Severity: Medium
CVSSv2 Overall Score: 5.1
CVSSv2 Group Scores: Base: 5.3, Temporal: 4.6, Environmental: 5.1
CVSSv2 Vector: (AV:L/AC:H/Au:M/C:C/I:C/A:N/E:ND/RL:OF/RC:C/CDP:ND/TD:ND/CR:H/IR:H/AR:ND)
Feedback regarding this issue should be sent to support@duosecurity.com and reference "DUO-PSA-2014-005" in the subject.