Advisory ID: DUO-PSA-2015-003
Original Publication Date: 2015-08-06
Revision Date: 2015-08-10
Status: Confirmed, Fixed
Document Revision: 2
Duo Security has identified an issue which, under certain configurations, could have enabled attackers to bypass second-factor authentication.
Note: this issue has been resolved through a patch to Duo's backend service; most Duo customers need not take any action. Duo has determined that only a very small number of customers may have been affected by this issue, and has separately contacted those customers with additional remediation steps.
When interacting with Duo-protected applications using Duo's Web SDK, Duo's two-factor authentication system did not strip leading whitespace from usernames. As a result, a username (e.g. "alice") was treated as distinct from the same username with whitespace in front of it (e.g. "[space]alice"). It would have been possible for an attacker to exploit this behavior to bypass second-factor authentication if:
For example, if an attacker had gained knowledge of the password for user "alice", then he could instead login as "[space]alice". Then, after completing primary authentication, he would either receive a prompt from Duo to enroll as a new user, or be permitted 2FA entirely (given "Require Enrollment" and "Allow Access" policies, respectively). In either case, he would bypass the existing 2FA setup for "alice".
Attackers who gained knowledge of a user's primary credentials may have been able to bypass second-factor authentication for certain applications using the Web SDK.
The issue affected Duo's 2-factor authentication service; however, only the following types of applications have met the necessary conditions (described above) to trigger it:
The issue has been resolved through a patch to Duo's backend service; Duo now trims whitespace from usernames before performing any lookups. Customers do not need to apply any software updates.
Duo has identified a very small group of customers who may have been affected by this issue, and has separately contacted them with additional remediation steps.
Vulnerability Class: CWE-156: Improper Neutralization of Whitespace
Remotely Exploitable: Yes
Authentication Required: Partial
CVSSv2 Overall Score: 5.5
CVSSv2 Group Scores: Base: 4.9, Temporal: 4.3, Environmental: 5.5
CVSSv2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:OF/RC:C/CDP:ND/TD:ND/CR:H/IR:H/AR:ND
Duo Security would like to thank University of Nebraska-Lincoln for reporting this issue.
Technical questions regarding this issue should be sent to firstname.lastname@example.org and reference "DUO-PSA-2015-003" in the subject.
Other feedback regarding this issue can be sent to email@example.com.