Duo Product Security Advisory

Advisory ID: DUO-PSA-2018-002
Publication Date: 2018-05-23
Revision Date: 2018-05-23
Status: Confirmed, Fixed
Document Revision: 1

Overview

Duo has identified and fixed an issue with the Duo administrative panel. This issue could have allowed for a second-factor bypass of administrative logins. This issue was completely service-side and immediately resolved upon discovery of the flaw.

Description

A Duo Security employee identified a bypass condition for administrative logins by submitting specially crafted passcodes as a second factor of authentication. This issue was only applicable to administrative logins.

Impact

An administrative login for an account could have had its second factor bypassed if an attacker first acquired a valid set of primary authentication credentials. Duo Security has no knowledge of this issue being abused. Duo Security was able to remediate this issue within three hours of initial discovery by a Duo employee.

Affected Product(s)

Duo’s Administrative Panel

Solution

This issue was resolved internally through an immediate security fix applied to our cloud service deployments for all customers. No action was required by customers to have this fix applied to their account.

Duo Security conducted thorough log analysis and, from the available log data, found zero indicators that this issue had been used to attack customer accounts. However, customers may additionally choose to review their own accounts for suspicious activity by reviewing the Administrator Actions log in the administrative panel.

Vulnerability Metrics

Vulnerability Class: CWE-287: Improper Authentication
Remotely Exploitable: [Yes]
Authentication Required: [Partial]
Severity: [Medium]
CVSSv2 Overall Score: 5.7
CVSSv2 Group Scores: Base: 6.5, Temporal: 5.7
CVSSv2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:H/RL:OF/RC:C

Timeline

2018-05-17

• 15:00 ET - Duo identifies a second-factor bypass in the Duo administrative panel.
• 16:35 ET - Duo verifies a fix for the root cause of the issue and begins a roll-out of the fix.
• 17:35 ET - All Duo customer deployments have received the remediation for this issue.

2018-05-21

• Internal log analysis is conducted, and identifies no indications that this issue had been exploited.

2018-05-23

• PSA is distributed to potentially impacted customers to provide awareness of this resolved issue.
  
  

References

==========

• CWE-287: Improper Authentication - https://cwe.mitre.org/data/definitions/287.html
  
  

Credits/Contact

===============

If you have questions regarding this issue, please contact us at:

• support@duosecurity.com, referencing "DUO-PSA-2018-002" in the subject
• our phone line at +1(844)386.6748. International customers can find our toll-free numbers here: https://duo.com/about/contact.