Advisory ID: DUO-PSA-2016-002
Publication Date: 2016-12-14
Revision Date: 2016-12-21
Status: Confirmed, Fixed
Document Revision: 2
Duo Security has identified an issue in the Duo Authentication Proxy which, under certain uncommon configurations, could enable attackers to bypass second-factor user authentication. Duo has no evidence that this vulnerability has actively been exploited and we believe this specific configuration is extraordinarily uncommon.
This issue was resolved in version 2.4.18 of the Duo Authentication Proxy. Customers using an affected configuration (see "Solution" section below) should update to the latest version as soon as possible.
The Duo Authentication Proxy performs second-factor authentication by communicating with the Duo Auth API. When performing second-factor authentication for a user using an out-of-band method (i.e. Duo Push or phone call), the Auth API does not return a response until the user has approved or rejected the authentication attempt, or Duo's cloud service considers the authentication attempt "expired". By default, the Authentication Proxy does not itself enforce any timeout on these API calls; Duo's cloud service will generally consider all authentication attempts "expired" after not more than 60 seconds.
However, the Authentication Proxy offers an advanced configuration option called "api_timeout", which places an upper-bound on the number of seconds to wait for a response from the Auth API. If this timeout was reached before the Auth API has returned a result, this would trigger the Authentication Proxy's configured "failmode". If "failmode" was set to "safe" (which is the default), then this could result in a bypass of second-factor authentication.
As of version 2.4.18, the Authentication Proxy will no longer trigger "fail-safe" behavior if an out-of-band authentication attempt prematurely times out.
Attackers may be able to bypass second-factor authentication only on systems that authenticate users via affected configurations of the Duo Authentication Proxy.
Take the following steps to determine whether your configuration may be affected:
1. Open your authproxy.cfg file.
2. Search for "api_timeout". If this value is present, you must remove it, or upgrade your Duo Authentication Proxy to version 2.4.18 or later.
For more information on this process, please see our knowledge base for details on how to verify whether you're affected: https://kb.duo.com/s/article/3341
Customers using an affected configuration may work around this issue by removing all instances of "api_timeout" from authproxy.cfg, and restarting the Authentication Proxy.
Customers using an affected configuration should upgrade to the latest version of the Duo Authentication Proxy as discussed above. Download the latest version from:
For more information on upgrading the Authentication Proxy, see https://duo.com/docs/authproxy_reference#upgrading-the-proxy
Vulnerability Class: CWE-636: Not Failing Securely ('Failing Open')
Remotely Exploitable: Yes
Authentication Required: Partial
CVSSv2 Overall Score: 6.2
CVSSv2 Group Scores: Base: 7.9, Temporal: 6.2
CVSSv2 Vector: (AV:N/AC:M/Au:S/C/C/I:C/A:N/E:POC/RL:OF/RC:C)
Technical questions regarding this issue should be sent to email@example.com and reference "DUO-PSA-2016-002" in the subject, or to your Customer Success Manager, if appropriate.
Duo Security would like to thank Leo Pereira of Invitae for reporting this issue.