Advisory ID: DUO-PSA-2019-001
Publication Date: 2019-04-16
Revision Date: 2019-04-16
Status: Confirmed, Fixed
Document Revision: 1

Overview

A Duo customer has identified an issue where Duo Authentication for Windows Logon could incorrectly enforce "failmode" following a manual, post-installation change to its offline configuration. This flaw would make it such that a system configured to fail securely (i.e. fail closed) would instead fail open.

Updating to version 4.0.5 of the software fully resolves this potential enforcement issue.

Description

A defect with Duo Authentication for Windows Logon (WinLogon) could allow an incorrect enforcement of failmode configuration under a specific circumstance. In this situation, the system would react with a continuous "fail open" state when unable to reach Duo’s service.

This issue is restricted to those that use WinLogon version 4.0.0 through 4.0.4, and have manually configured the “OfflineAvailable” and “FailOpen” keys to simultaneously disable both by setting them to a value of “0” (zero). The “FailOpen” key is only set manually by a system administrator and is not set by any other part of the WinLogon functionality.

Impact

When using vulnerable versions of WinLogon, a combination of post-installation configuration options would make it so that a system configured to fail securely (i.e. fail closed) would not respect this configuration and instead fail open.

Affected Product(s)

Duo Authentication for Windows Logon, versions 4.0.0 - 4.0.4

Solution

Duo has released a new version, 4.0.5, of the WinLogon software that properly enforces the failmode in previously impacted configurations. Impacted customers are advised to immediately update to this new version.

Vulnerability Metrics

Vulnerability Class: CWE-284: Improper Access Control
Remotely Exploitable: Yes
Authentication Required: Partial
Severity: Medium
CVSSv2 Overall Score: 4.2
CVSSv2 Group Scores: Base: 5.0, Temporal: 3.9
CVSSv2 Vector: AV:L/AC:M/Au:S/C:P/I:C/A:N/E:POC/RL:OF/RC:C/CDP:L/TD:M/CR:L/IR:H/AR:L

Timeline

2019-04-08

• Duo receives a report for a security concern in the WinLogon software from a customer

2019-04-09

• 10:20 ET - Duo received logs from the customer to provide further details of the concern
• 10:44 ET - Duo acknowledges receipt of the report and begins an investigation
• 11:43 ET - Duo verified that the report is accurate and determines the root cause
• 15:29 ET - Duo begins development of a patch to remediate the identified software defect

2019-04-10

• 10:51 ET - Duo implements a fix for the issue and performs quality assurance testing
• 11:42 ET - Duo begins analysis to determine potentially impacted customers

2019-04-11

• Duo releases the updated version (4.0.5) of WinLogon with the fix included

2019-04-12

• Duo completes an impact analysis for the list of potentially affected customers to notify

2019-04-16

• PSA distributed to potentially impacted customers

References

• CWE-284: Improper Access Control - https://cwe.mitre.org/data/definitions/284.html
• Documentation to update WinLogon - https://help.duo.com/s/article/3543
• Documentation for the “OfflineAvailable” setting - https://duo.com/docs/rdp#advanced-configuration
• Documentation for the “FailOpen” setting - https://help.duo.com/s/article/1081

Credits/Contact

Duo Security would like to thank National Retail Properties for their security report that led to this fix.

If you have questions regarding this issue, please contact us at:

• support@duosecurity.com, referencing "DUO-PSA-2019-001" in the subject
• our phone line at +1(844) 386.6748.

International customers can find our toll-free numbers here: https://duo.com/about/contact.

Or, reach out to your Customer Success Manager, as appropriate.