Duo Product Security Advisory

Advisory ID: DUO-PSA-2014-006
Publication Date: 2014-10-09
Revision Date: 2014-10-16
Status: Confirmed, Fixed
Document Revision: 2

Overview

Duo Security has identified an issue in which it may be possible for users to perform certain actions without completing two-factor authentication on systems which use the Duo OWA integration (prior to version 1.1.6).

Description

Starting with Exchange Server 2010, deployments of Outlook Web App (OWA) consist of two different user-facing web applications: OWA itself, and the Exchange Control Panel (ECP, also known as the "Exchange Admin Center" in Exchange Server 2013). In a typical deployment, with the Exchange Client Access Server role deployed to a server named mail.example.com, users log into OWA by visiting https://mail.example.com/owa, and users can access ECP at https://mail.example.com/ecp.

For unprivileged users, ECP provides self-service access to a variety of email and account settings; users typically can, for example:

• Add, edit, or remove mail filters
• Change their passwords
• Set up auto-reply actions

Administrators can additionally use ECP to manage the Exchange deployment. In Exchange Server 2013, in particular, the "Exchange Admin Center" is the primary administrative UI for Exchange.

Prior to version 1.1.6, Duo's OWA integration only added two-factor protection to the OWA application, not the ECP application. Users visiting any URL beginning with https://mail.example.com/owa would be required to complete Duo authentication, but users visiting a URL beginning with https://mail.example.com/ecp would only need to complete primary authentication (e.g. enter a username and password).

(Note that, by design, Duo's OWA integration does not interfere with thick-client access to mail through components like Outlook Anywhere, ActiveSync, or Exchange Web Services. We recommend that customers configure their Exchange deployments accordingly, e.g. by blocking internet-facing access to these services if appropriate.)

Impact

Users with valid primary authentication credentials (username and password) can log into the Exchange Control Panel (or Exchange Admin Center) without completing secondary authentication. Regular users can use ECP to edit personal settings - for example, change their passwords and edit mail filter rules. Administrators can additionally use ECP to perform a wide range of administrative actions on the Exchange deployment.

Affected Product(s)

• Duo Security OWA Integration 1.1.5 and earlier, when used with Exchange Server 2010 or 2013. (Exchange Server 2007 is unaffected.)

Solution

• For customers running Exchange Server 2010 or 2013: Install the Duo Security OWA Integration version 1.1.7 (or later) on your Exchange Client Access Server instance(s). See https://duo.com/docs/owa for installation instructions, and a link to download the latest version of the integration.
• For customers running Exchange Server 2007: No action is required.

Workaround

There is no complete workaround for this issue. However, in some cases, the following options may help mitigate its impact:

• Customers may disable administrative features in ECP (particularly on internet-facing Client Access Server instances) as documented on http://technet.microsoft.com/en-us/library/jj218639(v=exchg.150).aspx.
• If user access to internet-facing Client Access Server deployments is mediated through a reverse-proxy or web filter, it may be possible to block access to all ECP URL paths (i.e. those beginning with /ecp). However, this will interfere with users' ability to access their mail settings.

Vulnerability Metrics

Vulnerability Class: Use of Single-factor Authentication (CWE-308)
Remotely Exploitable: Yes
Authentication Required: Yes
Severity: Medium
CVSSv2 Overall Score: 5.1
CVSSv2 Group Scores: Base: 4.9, Temporal: 4.3, Environmental: 5.5
CVSSv2 Vector: (AV:N/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:OF/RC:ND/CDP:ND/TD:ND/CR:H/IR:H/AR:H)

References

• CWE-308: Use of Single-factor Authentication - https://cwe.mitre.org/data/definitions/308.html
• Exchange Admin Center - http://technet.microsoft.com/en-us/library/jj218639(v=exchg.150).aspx

Timeline

2014-07-24

• Researchers from FireID Security report possible 2FA bypass in OWA integration
• Duo acknowledges receipt of report; begins investigation

2014-08-12

• Duo confirms the issue and begins implementing a fix

2014-08-27

• Duo updates OWA integration to 1.1.6, adding 2-factor authentication to ECP

2014-08-29

• Duo receives reports that the 1.1.6 update interferes with thick-client access to Exchange Server (e.g. Outlook Anywhere, ActiveSync, and EWS)

2014-09-04

• Duo confirms the bug in version 1.1.6, and begins work on a fix

2014-09-11

• Duo updates OWA integration to version 1.1.7, with a fix to allow Outlook Anywhere, ActiveSync, and EWS traffic while requiring 2-factor authentication for OWA and ECP

2014-10-09

• Duo drafts advisory and shares it with affected Enterprise customers

2014-10-16

• Duo shares advisory with affected Business and Personal customers

Credits/Contact

Duo Security would like to thank Kobus Botha and Konrad Blum of FireID Security for discovering and reporting this issue.

Feedback regarding this issue should be sent to support@duosecurity.com and reference "DUO-PSA-2014-006" in the subject.