Advisory ID: DUO-PSA-2014-007
Publication Date: 2014-10-15
Status: Confirmed, Fixed
Document Revision: 1
Duo Security has identified an issue that may allow local users to bypass second factor authentication when using the pam_duo component of duo_unix in conjunction with specific versions of sudo.
Code changes made in version 1.8.7 of sudo altered functionality that ultimately resulted in a bug in authentication handling. Because of this change, pam_duo-enabled sudo deployments were subject to have the second factor of authentication bypassed on systems running sudo versions 1.8.7 through 1.8.11 when pam_duo's failmode was configured as 'safe'. This sudo bug was fixed in 1.8.11p1 and the resulting bypass condition has been resolved.
If pam_duo was not used for sudo or pam_duo's failmode was configured as 'secure', this issue will not impact your environment. Further, existing sudo privileges have to be given to users in order for them to benefit from this authentication bypass. Lastly, users are still required to authenticate with their primary credential (likely a password) before being able to execute any authorized sudo commands.
Users that have existing sudo privilege may be able to skip having to authenticate via their second factor of authentication for sudo command execution. This could allow an attacker who already has access on the system to run authorized sudo commands with only having to type the user's password and not actually authenticating with Duo Security's service.
Your Duo deployment is affected only if all of the following are true:
Users of following operating systems are likely using an impacted version of sudo:
For customers running duo_unix 1.9.12 or earlier, upgrade to version 1.9.13. See https://duo.com/docs/duounix for installation instructions, and a link to download the latest version of the integration.
If your duo_unix integration is unable to be upgraded immediately, each of the following individual workarounds should mitigate the risk of this sudo bug impacting pam_duo:
Vulnerability Class: Authentication Bypass Issues (CWE-592)
Remotely Exploitable: No
Authentication Required: Yes
CVSSv2 Overall Score: 3.7
CVSSv2 Group Scores: Base: 3, Temporal: 2.6, Environmental: 3.7
CVSSv2 Vector: (AV:L/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:OF/RC:C/CDP:ND/TD:ND/CR:H/IR:H/AR:ND)
Duo Security would like to thank Jason Strange of Techno Wizardry for alerting us to the behavior which led us to find this issue.
Feedback regarding this issue should be sent to email@example.com and reference "DUO-PSA-2014-007" in the subject.