Skip navigation

Duo Product Security Advisory

Advisory ID: DUO-PSA-2015-001
Original Publication Date: 2015-02-03
Revision Date: 2015-02-10
Status: Confirmed, Fixed
Document Revision: 3

Overview

Duo Security has identified an issue in certain versions of the Duo Web SDK that could allow attackers to bypass primary and secondary authentication if they have separately gained access to the Duo integration's secret key, and can create valid usernames containing pipe characters ('|').

Note: This issue does not affect any Duo-authored integrations; it only affects custom integrations developed using affected versions of the Web SDK.

Description

Duo's Web SDK requires two secret values: the integration secret key (SKEY) and an application secret key (AKEY). The SKEY is shared between Duo and the application incorporating the Web SDK integration, while the AKEY must be known only to the application.

Both of these values must be kept confidential. In the unlikely event that attackers could gain access to the SKEY, he could use it to bypass secondary authentication. However, the Duo Web SDK incorporates an additional mechanism, using the AKEY, to ensure that attackers would only be able to use the SKEY to bypass secondary authentication; i.e. they would still need access to a target user's primary credentials (or to the AKEY itself) to log in.

Recently, Duo Security became aware of an issue in which certain versions of the Web SDK perform insufficiently-strict validation of responses from Duo's service. This issue could allow attackers to bypass this AKEY-based protection in an application using an affected version of the Web SDK, if they have separately gained access to the integration's confidential SKEY and can also create a valid user account with a username containing pipe characters ('|').

Impact

With affected versions of the Duo Web SDK, attackers may be able to bypass primary and secondary authentication if they can both:

  • Gain separate access to the Web SDK integration's confidential SKEY
  • Create a valid username containing pipe characters ('|')

The Web SDK's design relies on the SKEY being kept confidential; this issue can only be exploited in cases where a core security requirement has already been violated. As such, Duo Security considers the overall severity of this issue to be low.

Affected Product(s)

Duo Web SDKs for:

  • Ruby
  • Java
  • Perl
  • PHP
  • ColdFusion

The Web SDKs for Python, ASP Classic, ASP.NET, and NodeJS were not affected.

In addition, while Duo provides some integrations that incorporate affected versions of the Web SDK (for Confluence, Jira, Shibboleth, MediaWiki, Wordpress, and Drupal), we have determined that none of these integrations are affected by this issue.

Solution

For customers using custom integrations developed with affected versions of the Web SDK: update to the latest Web SDK.

All affected versions of the Web SDK have been patched to strictly validate responses, and reject usernames that contain pipe characters. The latest versions of the Web SDK can be found at:

Workaround

Applications may mitigate this issue (without updating the Web SDK) if they either:

  • Do not allow usernames that contain pipe characters, or
  • Use some alternate means (e.g. session state) to store the username of a user upon successful primary authentication, and then verify that the Duo-returned username (from 'verify_response()') exactly matches the previously-stored value.

Vulnerability Metrics

Vulnerability Class: Improper Handling of Extra Parameters (CWE-235)
Remotely Exploitable: Yes
Authentication Required: No
Severity: Low
CVSSv2 Overall Score: 4.5
CVSSv2 Group Scores: Base: 4, Temporal: 3.3, Environmental: 4.5
CVSSv2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C/CDP:ND/TD:ND/CR:H/IR:H/AR:H

References

Timeline

2015-01-21

  • Researchers from Sakurity report a possible issue in the Duo Web SDK for Ruby
  • Duo acknowledges receipt of the report; begins investigation
  • Duo confirms the issue in the Duo Web SDK for Ruby

2015-01-22

  • Duo determines that the Web SDKs for PHP, Perl, Java, and ColdFusion are also affected
  • Duo confirms that all other versions of the Web SDK, and all other Duo integrations, are unaffected

2015-01-27

  • Duo develops patches for all affected versions of the Web SDK

2015-02-03

  • Duo updates all affected versions of the Web SDK
  • Duo drafts advisory and shares it with affected Enterprise and Business customers

2015-02-10

  • Duo updates advisory and shares it with affected Personal customers

Credits/Contact

Duo Security would like to thank the team at Sakurity for discovering and reporting this issue.

Technical questions regarding this issue should be sent to support@duosecurity.com and reference "DUO-PSA-2015-001" in the subject.

Other feedback regarding this issue can be sent to security@duosecurity.com.