Advisory ID: DUO-PSA-2017-001
Publication Date: 2017-03-14
Revision Date: 2017-03-14
Status: Confirmed, Fixed
Document Revision: 1
Duo has identified and fixed an issue in our cloud service which, under certain configurations, could have enabled attackers who have separately compromised a user's primary credentials to add additional unauthorized second-factor authentication devices or modify previously-registered devices for that user. The issue only affects a subset of customers who have enabled the Self-Service and Device Management Portal on their applications.
Duo resolved this issue within 24 hours of the report by deploying a fix to our cloud service that correctly enforces authentication in all cases prior to accessing the options to add/remove/change authentication devices associated with a user account.
Duo has confirmed with certainty that there were no attacks against this vulnerability on or after 2016-11-16, and has found no evidence suggesting that this vulnerability was ever exploited prior to that date.
However, in the interest of transparency, we are sharing any activities performed through the Self-Service and Device Management Portal for which the possibility of an attack cannot be completely ruled out. If you have received this notification, Duo has flagged these activity patterns for your account. Again, there is no evidence that these are malicious activities, but you may choose to review these activities and/or take further actions, as described below.
Duo's cloud service contains two optional features called the Self-Service Portal and the Device Management Portal which allow users to manage their own Duo accounts and enrolled authentication devices. On applications where either feature is enabled, an attacker who also had access to a user's primary credentials could have gained access to the portion of the portal where users can manage (add/change/remove) authentication devices by initiating - but not successfully completing - a second factor authentication, then crafting and loading a special URL.
Duo has found no evidence that this vulnerability was ever exploited. A thorough analysis of detailed operational logs has confirmed that there were no attacks against this vulnerability from 16-Nov-2016 until the vulnerability was patched on 10-Feb-2017. A further analysis of less-granular operational logs prior to 16-Nov-2016 affirms that the vast majority of Duo customers and users were never impacted.
In a successful attack, an adversary who had previously compromised a user's primary credentials may have been able to add authentication devices or modify previously-registered authentication devices for that user, ultimately leading to bypass of second-factor authentication.
For a small subset of Duo users and customers, we have identified activity patterns prior to 16-Nov-2016 that could be consistent with either legitimate user activity or exploitation of this vulnerability. There is not enough information in our logs to allow us to distinguish between these two cases. After manually reviewing these log patterns, we strongly believe they are, in all cases, the result of legitimate user activity (eg. adding, modifying, removing authentication devices) and represent false positives. Nonetheless, as we value transparency in security, we are presenting the complete list of the user activity to impacted customers so that they can determine for themselves whether to perform further review and/or take proactive action (eg. re-enroll those users).
Customers who directly received this notification can use the Duo Administrator Panel to find the list of user activities for review and potential follow-up action at https://admin.duosecurity.com/psa/DUO-PSA-2017-001.
Affected configurations include any applications that enabled the Device Management / Self-Service Portal features with Duo's service.
A fix that correctly enforces authentication in the Self-Service Portal and Device Management Portal has been deployed to Duo's cloud service. No action is necessary for customers to resolve the issue.
Customers who directly received this notification can perform further review of user activity and/or take proactive action in Duo Administrator Panel at https://admin.duosecurity.com/psa/DUO-PSA-2017-001.
Vulnerability Class: CWE-592: Authentication Bypass Issues
Remotely Exploitable: Yes
Authentication Required: Partial
CVSSv2 Overall Score: 6.5
CVSSv2 Group Scores: Base: 7.9, Temporal: 6.5
CVSSv2 Vector: (AV:N/AC:M/Au:S/C:C/I:C/A:N/E:F/RL:OF/RC:C)
Technical questions regarding this issue should be sent to firstname.lastname@example.org and reference "DUO-PSA-2017-001" in the subject, or to your Customer Success Manager, if appropriate.
Duo Security would like to thank Brian W. Gray of Carnegie Mellon University for reporting this issue and the Carnegie Mellon Identity Services team for their assistance throughout.