Advisory ID: DUO-PSA-2018-003
Publication Date: 2018-05-31
Revision Date: 2018-05-31
Status: Confirmed, Fixed
Document Revision: 1
Duo has identified and fixed an issue with our documentation for the Duo Authentication Proxy integration with VMware Horizon View. The previously recommended configuration could allow a malicious user who had separately compromised a user's primary authentication credentials to gain access without secondary authentication. This issue has since been resolved in our official documentation.
A Duo Security employee identified a secondary authentication bypass condition in the previous documentation (available until 2018-05-22) when the Duo Authentication Proxy performs secondary authentication and VMware Horizon View handles primary authentication independently. Because VMware Horizon View's implementation prompts secondary authentication before primary authentication, this could have allowed a malicious user to leverage a different user's primary credentials after successfully passing secondary authentication for their own account.
When configuring VMware Horizon View and the Duo Authentication Proxy with [duo_only_client], there is no relationship between the user who successfully performed a second-factor authentication with Duo and the user who submits their username and password. This configuration could have potentially allowed a malicious user to bypass a targeted user's secondary authentication by using their own and then submitting the target user's primary credentials.
Duo Authentication Proxy (VMware Horizon View Integration)
In order to resolve this issue, we advise our customers who are using the VMware Horizon View integration to remove the [duo_only_client] section and configure the [ad_client] section in Duo Authentication Proxy configuration. Customers must also make sure to enable both "Enforce 2-factor and Windows user name matching" and "Use the same username and password for RADIUS and Windows authentication" in VMware Horizon View.
As a result, the Duo Authentication Proxy will require correct primary authentication credentials before triggering secondary authentication to make sure that the primary and secondary authentication credentials match. This configuration also ensures that VMware Horizon View will not allow a user to enter different login credentials during the primary authentication. Recommended main and alternate configurations can be found here:
Please note that if you were using [duo_only_client] prior, the AD password reset feature with VMware Horizon View will no longer work with the updated [ad_client] configuration.
Vulnerability Class: CWE-288: Authentication Bypass Using an Alternate Path or Channel
Remotely Exploitable: [Yes]
Authentication Required: [Partial]
CVSSv2 Overall Score: 6.0
CVSSv2 Group Scores: Base: 6.3, Temporal: 6.0
CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:N/A:N/E:F/RL:U/RC:C
If you have questions regarding this issue, please contact us at: