Duo Product Security Advisory

Advisory ID: DUO-PSA-2014-007
Publication Date: 2014-10-15
Status: Confirmed, Fixed
Document Revision: 1

Overview

Duo Security has identified an issue that may allow local users to bypass second factor authentication when using the pam_duo component of duo_unix in conjunction with specific versions of sudo.

Description

Code changes made in version 1.8.7 of sudo altered functionality that ultimately resulted in a bug in authentication handling. Because of this change, pam_duo-enabled sudo deployments were subject to have the second factor of authentication bypassed on systems running sudo versions 1.8.7 through 1.8.11 when pam_duo's failmode was configured as 'safe'. This sudo bug was fixed in 1.8.11p1 and the resulting bypass condition has been resolved.

If pam_duo was not used for sudo or pam_duo's failmode was configured as 'secure', this issue will not impact your environment. Further, existing sudo privileges have to be given to users in order for them to benefit from this authentication bypass. Lastly, users are still required to authenticate with their primary credential (likely a password) before being able to execute any authorized sudo commands.

Impact

Users that have existing sudo privilege may be able to skip having to authenticate via their second factor of authentication for sudo command execution. This could allow an attacker who already has access on the system to run authorized sudo commands with only having to type the user's password and not actually authenticating with Duo Security's service.

Affected Product(s)

Your Duo deployment is affected only if all of the following are true:

• Using duo_unix <= 1.9.12;
• Using pam_duo to protect the sudo service; and
• Using sudo >= 1.8.7 and < 1.8.11p1.

Users of following operating systems are likely using an impacted version of sudo:

• Ubuntu 14.04 (Trusty)
• OpenSuSE 13.1
• Fedora 20
• FreeBSD 9.2 and 10.0
• Arch Linux 2013-07-01 to 2014-09-25
• Mageia 4
• Linux Mint 17 (Qiana)

Solution

For customers running duo_unix 1.9.12 or earlier, upgrade to version 1.9.13. See https://duo.com/docs/duounix for installation instructions, and a link to download the latest version of the integration.

Workaround

If your duo_unix integration is unable to be upgraded immediately, each of the following individual workarounds should mitigate the risk of this sudo bug impacting pam_duo:

• Upgrade sudo to version 1.8.11p1 or later.
• Configure pam_duo's failmode to be 'secure'.
• Fully disable sudo access for users.

Vulnerability Metrics

Vulnerability Class: Authentication Bypass Issues (CWE-592)
Remotely Exploitable: No
Authentication Required: Yes
Severity: Medium
CVSSv2 Overall Score: 3.7
CVSSv2 Group Scores: Base: 3, Temporal: 2.6, Environmental: 3.7
CVSSv2 Vector: (AV:L/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:OF/RC:C/CDP:ND/TD:ND/CR:H/IR:H/AR:ND)

References

• CWE-592: Authentication Bypass Issues - https://cwe.mitre.org/data/definitions/592.html
• sudo bug #666 - http://www.sudo.ws/bugs/show_bug.cgi?id=666

Timeline

2014-10-08

• Jason Strange from Techno Wizardry reports a possible 2FA bypass with pam_duo
• Duo acknowledges receipt of report and begins investigation

2014-10-09

• Duo finds that the underlying bypass issue was created through a now resolved bug in sudo
• Duo informs Jason Strange of the underlying issue and confirms expected behavior with him

2014-10-10

• Duo evaluates impacted versions of sudo and related packages for stable OS distributions
• Duo commits a code fix to our public duo_unix source tree to workaround sudo's bug

2014-10-13

• Duo releases duo_unix 1.9.13 containing a fix for impacted versions of sudo using pam_duo

2014-10-15

• Duo drafts advisory and shares it with affected customers

Credits/Contact

Duo Security would like to thank Jason Strange of Techno Wizardry for alerting us to the behavior which led us to find this issue.

Feedback regarding this issue should be sent to support@duosecurity.com and reference "DUO-PSA-2014-007" in the subject.