Advisory ID: DUO-PSA-2018-002
Publication Date: 2018-05-23
Revision Date: 2018-05-23
Status: Confirmed, Fixed
Document Revision: 1
Duo has identified and fixed an issue with the Duo administrative panel. This issue could have allowed for a second-factor bypass of administrative logins. This issue was completely service-side and immediately resolved upon discovery of the flaw.
A Duo Security employee identified a bypass condition for administrative logins by submitting specially crafted passcodes as a second factor of authentication. This issue was only applicable to administrative logins.
An administrative login for an account could have had its second factor bypassed if an attacker first acquired a valid set of primary authentication credentials. Duo Security has no knowledge of this issue being abused. Duo Security was able to remediate this issue within three hours of initial discovery by a Duo employee.
Duo’s Administrative Panel
This issue was resolved internally through an immediate security fix applied to our cloud service deployments for all customers. No action was required by customers to have this fix applied to their account.
Duo Security conducted thorough log analysis and, from the available log data, found zero indicators that this issue had been used to attack customer accounts. However, customers may additionally choose to review their own accounts for suspicious activity by reviewing the Administrator Actions log in the administrative panel.
Vulnerability Class: CWE-287: Improper Authentication
Remotely Exploitable: [Yes]
Authentication Required: [Partial]
CVSSv2 Overall Score: 5.7
CVSSv2 Group Scores: Base: 6.5, Temporal: 5.7
CVSSv2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:H/RL:OF/RC:C
If you have questions regarding this issue, please contact us at: