Advisory ID: DUO-PSA-2019-002
Publication Date: 2019-11-12
Revision Date: 2019-11-12
Status: Confirmed, Fixed
Document Revision: 1
A third-party software library, which the Duo Access Gateway (DAG) uses to enable SAML as a first-factor authentication source, contains a vulnerability that could allow an attacker to impersonate a user when authenticating to an application that is federated through the Duo Access Gateway. Version 1.5.10 of the Duo Access Gateway corrects this issue.
This vulnerability was identified during an independent third-party security audit of SimpleSAMLphp and was reported to the maintainers. An issue was identified in the way that xmlseclib, a library used by SimpleSAMLphp to perform XML signing and encryption operations, validates the SignedInfo element of a SAML response.
Specifically, it was possible for an attacker to include data within a SAML response that, while not actually signed, would be interpreted by SimpleSAMLphp as signed by an Identity Provider (IdP). This issue is only applicable to Duo Access Gateways that are configured to use a SAML Identity Provider as their authentication source. DAGs configured to use Microsoft Entra ID for first-factor authentication are not affected.
This vulnerability could allow an attacker who is able to authenticate to the DAG and obtain a valid signature in a SAML response from an Identity Provider to specify a different username to a Service Provider than was originally used to authenticate. This could allow an attacker to impersonate other users when accessing applications already available to them through the DAG. If the impersonated username has a Duo bypass policy applied, then the attacker could potentially access any application federated by the DAG.
Duo Authentication Gateway (DAG) version 1.5.9 and below
Duo recommends that all customers using Duo Access Gateway, but especially those who use the DAG with a SAML Identity Provider, upgrade to the latest version, 1.5.10, as soon as possible.
Vulnerability Class: CWE-287: Improper Authentication
Remotely Exploitable: Yes
Authentication Required: Yes
CVSSv2 Overall Score: 1.7
CVSSv2 Group Scores: Base: 6.5, Temporal: 5.1
CVSSv2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C/CDP:MH/TD:L/CR:M/IR:M/AR:L
Duo Security would like to thank the maintainers of SimpleSAMLphp for their help in remediating this issue.
If you have questions regarding this issue, please contact us at:
Or, reach out to your Customer Success Manager, as appropriate.