Duo Product Security Advisory

Advisory ID: DUO-PSA-2016-002
Publication Date: 2016-12-14
Revision Date: 2016-12-21
Status: Confirmed, Fixed
Document Revision: 2

Overview

Duo Security has identified an issue in the Duo Authentication Proxy which, under certain uncommon configurations, could enable attackers to bypass second-factor user authentication. Duo has no evidence that this vulnerability has actively been exploited and we believe this specific configuration is extraordinarily uncommon.

This issue was resolved in version 2.4.18 of the Duo Authentication Proxy. Customers using an affected configuration (see "Solution" section below) should update to the latest version as soon as possible.

Description

The Duo Authentication Proxy performs second-factor authentication by communicating with the Duo Auth API. When performing second-factor authentication for a user using an out-of-band method (i.e. Duo Push or phone call), the Auth API does not return a response until the user has approved or rejected the authentication attempt, or Duo's cloud service considers the authentication attempt "expired". By default, the Authentication Proxy does not itself enforce any timeout on these API calls; Duo's cloud service will generally consider all authentication attempts "expired" after not more than 60 seconds.

However, the Authentication Proxy offers an advanced configuration option called "api_timeout", which places an upper-bound on the number of seconds to wait for a response from the Auth API. If this timeout was reached before the Auth API has returned a result, this would trigger the Authentication Proxy's configured "failmode". If "failmode" was set to "safe" (which is the default), then this could result in a bypass of second-factor authentication.

As of version 2.4.18, the Authentication Proxy will no longer trigger "fail-safe" behavior if an out-of-band authentication attempt prematurely times out.

Impact

Attackers may be able to bypass second-factor authentication only on systems that authenticate users via affected configurations of the Duo Authentication Proxy.

Affected Product(s)

Take the following steps to determine whether your configuration may be affected:

1. Open your authproxy.cfg file.

• Windows: C:\Program Files (x86)\Duo Security Authentication Proxy\conf\authproxy.cfg
• Linux: /opt/duoauthproxy/conf/authproxy.cfg

2. Search for "api_timeout". If this value is present, you must remove it, or upgrade your Duo Authentication Proxy to version 2.4.18 or later.

Workaround

Customers using an affected configuration may work around this issue by removing all instances of "api_timeout" from authproxy.cfg, and restarting the Authentication Proxy.

Solution

Customers using an affected configuration should upgrade to the latest version of the Duo Authentication Proxy as discussed above. Download the latest version from:

• Windows: https://dl.duosecurity.com/duoauthproxy-latest.exe
• Linux: https://dl.duosecurity.com/duoauthproxy-latest-src.tgz

For more information on upgrading the Authentication Proxy, see https://duo.com/docs/authproxy-reference#upgrading-the-proxy

Vulnerability Metrics

Vulnerability Class: CWE-636: Not Failing Securely ('Failing Open')
Remotely Exploitable: Yes
Authentication Required: Partial
Severity: High
CVSSv2 Overall Score: 6.2
CVSSv2 Group Scores: Base: 7.9, Temporal: 6.2
CVSSv2 Vector: (AV:N/AC:M/Au:S/C/C/I:C/A:N/E:POC/RL:OF/RC:C)

References

• CWE-636: Not Failing Securely ('Failing Open')
• Duo Authentication Proxy Reference

Timeline

2016-12-08

• Duo privately receives report of a security vulnerability in the Authentication Proxy
• Duo acknowledges receipt of report and begins investigation
• Duo confirms vulnerability exists

2016-12-09

• Engineers at Duo begin investigating potential fixes

2016-12-13

• Duo completes development and testing of fixes

2016-12-14

• Advisory released to paid Duo customers with potentially affected applications

2016-12-21

• Advisory published and released to free Duo customers with potentially affected applications

Credits/Contact

Technical questions regarding this issue should be sent to support@duosecurity.com and reference "DUO-PSA-2016-002" in the subject, or to your Customer Success Manager, if appropriate.

Duo Security would like to thank Leo Pereira of Invitae for reporting this issue.