Advisory ID: DUO-PSA-2018-001
Publication Date: 2018-03-06
Revision Date: 2018-03-06
Status: Confirmed, Fixed
Document Revision: 1
Duo has identified and fixed an issue with our public documentation on the Duo Unix integration. The suggested Pluggable Authentication Module (PAM) stack for the AIX operating system contained a logic bug that could allow for attackers to bypass secondary authentication. An attacker that had separately compromised a user's primary authentication credentials could then gain access without secondary authentication.
This issue is not a software flaw in Duo Unix, and does not require Duo Unix software updates. Applying the relevant configuration changes should be sufficient to remediate this issue.
To protect the 'su' and 'sshd' Unix programs, Duo previously (until 2018-02-26) recommended including the following PAM configuration for the AIX operating system:
auth requisite pam_aix
auth sufficient /usr/lib/security/pam_duo.so
This would attempt primary authentication via the pam_aix PAM module and fail immediately if that was unsuccessful. Then, if primary authentication was successful, it would attempt 2FA via the pam_duo module.
The error is that the 'sufficient' PAM control flag does not return an authentication failure if that particular PAM module fails. Meaning, if the primary authentication was successful then PAM would be primed with a 'success' result, and would return that regardless of what pam_duo returned.
Configuring Duo Unix with the previously mentioned faulty PAM configuration causes Duo Unix to not enforce 2FA. Administrators should update their PAM configuration as soon as possible.
Duo Unix, when configured for AIX systems following Duo's documented PAM configuration prior to 2018-02-26.
Changing the PAM control flag to 'required' will fix the issue:
auth requisite pam_aix
auth required /usr/lib/security/pam_duo.so
The complete recommended PAM configuration can be found here: https://duo.com/docs/duounix#pam-examples
Note that no changes to Duo Unix itself are required.
Vulnerability Class: CWE-592: Authentication Bypass Issues
Remotely Exploitable: [Yes]
Authentication Required: [Partial]
CVSSv2 Overall Score: 5.7
CVSSv2 Group Scores: Base: 6.5, Temporal: 5.7
CVSSv2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:H/RL:OF/RC:C
If you have questions regarding this issue, please contact us at:
Or, reach out to your Customer Success Manager, as appropriate.