Advisory ID: DUO-PSA-2017-003
Publication Date: 2018-02-27
Revision Date: 2018-02-27
Status: Confirmed, Fixed
Document Revision: 1

Overview

Duo Security has identified a security flaw in a third-party library used in the Duo Network Gateway (DNG) which, under certain configurations, could allow for a bypass of the DNG's SAML first factor of authentication.

Description

Duo has discovered an implementation flaw in the open-source library 'python-saml' (CVE-2017-11427) that, under certain conditions, could allow an attacker with authenticated access to a SAML Identity Provider (IdP) to bypass the first factor of authentication for a different user.

This issue is due to an inconsistency of XML DOM traversal APIs and their handling of comment nodes. Comment nodes should have no effect - and indeed, due to the canonicalization of XML prior to signature verification, inserting an XML comment into a SAML message does not invalidate its signature. However, the 'python-saml' code makes incorrect use of a DOM-traversal API, such that it fails to extract the full inner text of an XML element containing a comment. Instead, all the text after the comment is lost.

To exploit this issue, an attacker inserts XML comments into select areas of the SAML assertions before passing them along to the DNG. Once the DNG validates the signature and extracts the user's identifier, only part of the user's identifier is recovered. In cases where an attacker's user identifier (e.g. john_doe) can be truncated to become a victim's user identifier (e.g. john), the attacker can trick the DNG into authenticating as the victim.

Impact

Attackers who have the ability to authenticate as a user may be able to bypass the first factor of authentication for a different user.

Note that, unless the attacker can separately bypass 2FA, this attack would not result in a full bypass of user authentication.

Affected Product(s)

This issue affects DNG versions before version 1.2.10. DNG configurations could be at greater risk, due to increased attacker control over the user being bypassed, if they either:

• Have "Username Normalization" enabled for the DNG integration. (Username Normalization is enabled by default)
• Do not have a domain specified for email identifiers via the "Enforced Email Domain" feature. (No domain is specified by default)

Solution

The issue has been resolved through a patch to the Duo Network Gateway. Please update to DNG version 1.2.10+ using the instructions covered at https://duo.com/docs/dng.

You can check the version of your Duo Network Gateway by following the instructions at https://help.duo.com/s/article/4151.

Vulnerability Metrics

Vulnerability Class: CWE-287: Improper Authentication
Remotely Exploitable: Yes
Authentication Required: Partial
Severity: Medium
CVSSv2 Overall Score: 5.1
CVSSv2 Group Scores: Base: 6.3, Temporal: 5.1, Environmental: 5.1
CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:N/A:N/E:POC/RL:U/RC:UC/CDP:ND/TD:ND/CR:M/IR:L/AR:L

References

• CWE-287: Improper Authentication
• CVE-2017-11427 (python-saml)
• CVE-2018-7340 (Duo Network Gateway)
• "Duo Finds SAML Vulnerabilities Affecting Multiple Implementations"

2017-12-11

• During an internal application security assessment on the python-saml library, Duo determines that a security issue exists that may have serious implications.
• Duo conducts an investigation of products using this library and determines that the Duo Network Gateway (DNG) application is impacted in its usage of this library.
• After understanding the root cause of the issue in python-saml, Duo investigates whether similar implementations within other SAML-related libraries & software may suffer from this issue.

2017-12-14

• Additional analysis of SAML implementations identifies three other vendors impacted by related bugs.

2017-12-18

• Having confirmed this vulnerability class applies across multiple vendors, Duo contacts CERT/CC to coordinate disclosure of all related issues.

2017-12-19

• To ensure customers will be immediately protected from this vulnerability, Duo releases a new version of the DNG with a fix.

2017-12-20

• Impacted customers are made aware that a security issue in the DNG requires their action to update their installations. However, Duo does not disclose technical details around the issue at this time, and customers are instead informed Duo is coordinating with CERT/CC due to other parties being at risk to similar issues in their own software & library usage.
• CERT/CC acknowledges receipt of issues from Duo and replies back with initial questions.

2017-12-22

• Duo provides CERT/CC with answers to questions and additional information as required.

2018-01-02 to 2018-01-09

• Additional communication between Duo and CERT/CC occurs to address questions.

2018-01-09

• CERT/CC & Duo agree upon 02/27/2018 as a coordinated public disclosure date.

2018-01-24

• CERT/CC provides initial contact to impacted vendors after internal analysis.

2018-01-25

• Vendors respond back to CERT/CC and begin internal triage & remediation processes.
• Communication occurs with CERT/CC about additional issues related to this research.

2018-01-29

• Additional vendors are identified as possibly impacted and CERT/CC contacts them.

2018-02-01

• CVE numbers are reserved for each vendor's impacted software found during research.

2018-02-06

• CERT/CC provides a draft of their technical note for review by Duo.
• Duo acknowledges and approves the draft of the CERT/CC technical note.

2018-02-19

• Duo follows up with CERT/CC asking for updates to vendor report/response timelines.

2018-02-20

• CERT/CC responds to Duo's request with a high-level timeline. Final confirmation that all vendors are patched and agree on a 02/27/2018 coordinated public disclosure.

2018-02-27

• Coordinated public disclosure of issues identified occurs, including the DNG.

Credits/Contact

Duo Security would like to thank CERT/CC for their coordination related to the various security disclosure actions conducted during this process.

Technical questions regarding this issue should be sent to support@duosecurity.com and reference "DUO-PSA-2017-003" in the subject.

Other feedback regarding this issue can be sent to security@duosecurity.com.