Advisory ID: DUO-PSA-2018-004
Publication Date: 2018-12-18
Revision Date: 2018-12-18
Status: Confirmed, Fixed
Document Revision: 1
Duo has identified and fixed an issue with the Duo Access Gateway (DAG). This issue could have allowed for data exposure on the DAG's filesystem for certain limited use cases as described below. Specifically, a user's primary authentication credentials could have been temporarily stored on the DAG's server -- not externally or accessible by Duo. This issue was discovered internally while working on unrelated product features. Upon discovery, Duo developed a new version of DAG that patches the issue and deletes any potentially exposed information from the filesystem.
A Duo Security employee identified a bug resulting in the exposure of user's primary authentication credentials. This exposure was limited to administrators with access to the DAG's filesystem. This bug, which affected both the Linux (Docker) and Windows versions of DAG, was further limited to deployments of the DAG that meet the following criteria: Office365 was the SAML application being authenticated to, the Basic Authentication setting was set to disabled, and the DAG was running version 1.5.0 - 1.5.5, inclusively.
This issue may have resulted in exposure of users' primary authentication credentials on the DAG's filesystem. This information could have been further exposed via backup or replication.
Duo does not have the ability to remotely access these files as they are held within the customer's environment. Moreover, these credentials were not exposed outside of the users' organizations.
Duo Access Gateway (DAG) 1.5.0 - 1.5.5
In order to resolve this issue, customers must update their DAG deployments to version 1.5.6. This will patch the issue and delete any potentially exposed information from the filesystem.
Administrators should also consider locations this information may have been copied to -- for example in a system backup or a failover machine. Due to the potential for user credential exposure on the DAG's filesystem, organizations that believe this information may have been duplicated or accessed should consider having users reset their passwords out of caution.
Vulnerability Class: CWE-313: Cleartext Storage in a File or on Disk
Remotely Exploitable: [No]
Authentication Required: [Partial]
CVSSv2 Overall Score: 0.9
CVSSv2 Group Scores: Base: 3.7, Temporal: 2.7
CVSSv2 Vector: AV:L/AC:H/Au:M/C:C/I:N/A:N/E:U/RL:OF/RC:C/CDP:L/TD:L/CR:M/IR:ND/AR:ND
If you have questions regarding this issue, please contact us at: