Duo Product Security Advisory
Advisory ID: DUO-PSA-2015-003
Original Publication Date: 2015-08-06
Revision Date: 2015-08-10
Status: Confirmed, Fixed
Document Revision: 2
Overview
Duo Security has identified an issue which, under certain configurations, could have enabled attackers to bypass second-factor authentication.
Note: this issue has been resolved through a patch to Duo's backend service; most Duo customers need not take any action. Duo has determined that only a very small number of customers may have been affected by this issue, and has separately contacted those customers with additional remediation steps.
Description
When interacting with Duo-protected applications using Duo's Web SDK, Duo's two-factor authentication system did not strip leading whitespace from usernames. As a result, a username (e.g. "alice") was treated as distinct from the same username with whitespace in front of it (e.g. "[space]alice"). It would have been possible for an attacker to exploit this behavior to bypass second-factor authentication if:
- An application using Duo's Web SDK stripped (or ignored) leading whitespace in usernames for primary authentication, but sent usernames with leading whitespace to Duo's service; and
- The "New User Policy" for the application was set to "Require Enrollment" or "Allow Access"
For example, if an attacker had gained knowledge of the password for user "alice", then he could instead login as "[space]alice". Then, after completing primary authentication, he would either receive a prompt from Duo to enroll as a new user, or be permitted 2FA entirely (given "Require Enrollment" and "Allow Access" policies, respectively). In either case, he would bypass the existing 2FA setup for "alice".
Impact
Attackers who gained knowledge of a user's primary credentials may have been able to bypass second-factor authentication for certain applications using the Web SDK.
Affected Product(s)
The issue affected Duo's 2-factor authentication service; however, only the following types of applications have met the necessary conditions (described above) to trigger it:
- Duo's Shibboleth integration
- Unicon's CAS integration
- Customer-developed applications using the Duo Web SDK
Solution
The issue has been resolved through a patch to Duo's backend service; Duo now trims whitespace from usernames before performing any lookups. Customers do not need to apply any software updates.
Duo has identified a very small group of customers who may have been affected by this issue, and has separately contacted them with additional remediation steps.
Vulnerability Metrics
Vulnerability Class: CWE-156: Improper Neutralization of Whitespace
Remotely Exploitable: Yes
Authentication Required: Partial
Severity: Medium
CVSSv2 Overall Score: 5.5
CVSSv2 Group Scores: Base: 4.9, Temporal: 4.3, Environmental: 5.5
CVSSv2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:OF/RC:C/CDP:ND/TD:ND/CR:H/IR:H/AR:ND
References
Timeline
2015-08-04
- Customer reports that adding whitespace to usernames when using the Unicon CAS integration can result in a 2FA bypass
2015-08-05
- Engineers at Duo confirm the issue
- Duo develops a fix and applies it across Duo's production infrastructure
2015-08-06
- Duo drafts and publishes advisory
2015-08-10
- Advisory updated to reflect that all affected customers have now been contacted
Credits/Contact
Duo Security would like to thank University of Nebraska-Lincoln for reporting this issue.
Technical questions regarding this issue should be sent to support@duosecurity.com and reference "DUO-PSA-2015-003" in the subject.
Other feedback regarding this issue can be sent to security@duosecurity.com.