Advisory ID: DUO-PSA-2019-001
Publication Date: 2019-04-16
Revision Date: 2019-04-16
Status: Confirmed, Fixed
Document Revision: 1
A Duo customer has identified an issue where Duo Authentication for Windows Logon could incorrectly enforce "failmode" following a manual, post-installation change to its offline configuration. This flaw would make it such that a system configured to fail securely (i.e. fail closed) would instead fail open.
Updating to version 4.0.5 of the software fully resolves this potential enforcement issue.
A defect with Duo Authentication for Windows Logon (WinLogon) could allow an incorrect enforcement of failmode configuration under a specific circumstance. In this situation, the system would react with a continuous "fail open" state when unable to reach Duo’s service.
This issue is restricted to those that use WinLogon version 4.0.0 through 4.0.4, and have manually configured the “OfflineAvailable” and “FailOpen” keys to simultaneously disable both by setting them to a value of “0” (zero). The “FailOpen” key is only set manually by a system administrator and is not set by any other part of the WinLogon functionality.
When using vulnerable versions of WinLogon, a combination of post-installation configuration options would make it so that a system configured to fail securely (i.e. fail closed) would not respect this configuration and instead fail open.
Duo Authentication for Windows Logon, versions 4.0.0 - 4.0.4
Duo has released a new version, 4.0.5, of the WinLogon software that properly enforces the failmode in previously impacted configurations. Impacted customers are advised to immediately update to this new version.
Vulnerability Class: CWE-284: Improper Access Control
Remotely Exploitable: Yes
Authentication Required: Partial
Severity: Medium
CVSSv2 Overall Score: 4.2
CVSSv2 Group Scores: Base: 5.0, Temporal: 3.9
CVSSv2 Vector: AV:L/AC:M/Au:S/C:P/I:C/A:N/E:POC/RL:OF/RC:C/CDP:L/TD:M/CR:L/IR:H/AR:L
==========
===============
Duo Security would like to thank National Retail Properties for their security report that led to this fix.
If you have questions regarding this issue, please contact us at:
International customers can find our toll-free numbers here: https://duo.com/about/contact.
Or, reach out to your Customer Success Manager, as appropriate.