Advisory ID: DUO-PSA-2014-006
Publication Date: 2014-10-09
Revision Date: 2014-10-16
Status: Confirmed, Fixed
Document Revision: 2
Duo Security has identified an issue in which it may be possible for users to perform certain actions without completing two-factor authentication on systems which use the Duo OWA integration (prior to version 1.1.6).
Starting with Exchange Server 2010, deployments of Outlook Web App (OWA) consist of two different user-facing web applications: OWA itself, and the Exchange Control Panel (ECP, also known as the "Exchange Admin Center" in Exchange Server 2013). In a typical deployment, with the Exchange Client Access Server role deployed to a server named mail.example.com, users log into OWA by visiting https://mail.example.com/owa, and users can access ECP at https://mail.example.com/ecp.
For unprivileged users, ECP provides self-service access to a variety of email and account settings; users typically can, for example:
Administrators can additionally use ECP to manage the Exchange deployment. In Exchange Server 2013, in particular, the "Exchange Admin Center" is the primary administrative UI for Exchange.
Prior to version 1.1.6, Duo's OWA integration only added two-factor protection to the OWA application, not the ECP application. Users visiting any URL beginning with https://mail.example.com/owa would be required to complete Duo authentication, but users visiting a URL beginning with https://mail.example.com/ecp would only need to complete primary authentication (e.g. enter a username and password).
(Note that, by design, Duo's OWA integration does not interfere with thick-client access to mail through components like Outlook Anywhere, ActiveSync, or Exchange Web Services. We recommend that customers configure their Exchange deployments accordingly, e.g. by blocking internet-facing access to these services if appropriate.)
Users with valid primary authentication credentials (username and password) can log into the Exchange Control Panel (or Exchange Admin Center) without completing secondary authentication. Regular users can use ECP to edit personal settings - for example, change their passwords and edit mail filter rules. Administrators can additionally use ECP to perform a wide range of administrative actions on the Exchange deployment.
There is no complete workaround for this issue. However, in some cases, the following options may help mitigate its impact:
Vulnerability Class: Use of Single-factor Authentication (CWE-308)
Remotely Exploitable: Yes
Authentication Required: Yes
CVSSv2 Overall Score: 5.1
CVSSv2 Group Scores: Base: 4.9, Temporal: 4.3, Environmental: 5.5
CVSSv2 Vector: (AV:N/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:OF/RC:ND/CDP:ND/TD:ND/CR:H/IR:H/AR:H)
Duo Security would like to thank Kobus Botha and Konrad Blum of FireID Security for discovering and reporting this issue.
Feedback regarding this issue should be sent to firstname.lastname@example.org and reference "DUO-PSA-2014-006" in the subject.