Skip navigation

Duo Product Security Advisory

Advisory ID: DUO-PSA-2019-002
CVE: CVE-2019-3465
Publication Date: 2019-11-12
Revision Date: 2019-11-12
Status: Confirmed, Fixed
Document Revision: 1

Overview

A third-party software library, which the Duo Access Gateway (DAG) uses to enable SAML as a first-factor authentication source, contains a vulnerability that could allow an attacker to impersonate a user when authenticating to an application that is federated through the Duo Access Gateway. Version 1.5.10 of the Duo Access Gateway corrects this issue.

Description

This vulnerability was identified during an independent third-party security audit of SimpleSAMLphp and was reported to the maintainers. An issue was identified in the way that xmlseclib, a library used by SimpleSAMLphp to perform XML signing and encryption operations, validates the SignedInfo element of a SAML response.

Specifically, it was possible for an attacker to include data within a SAML response that, while not actually signed, would be interpreted by SimpleSAMLphp as signed by an Identity Provider (IdP). This issue is only applicable to Duo Access Gateways that are configured to use a SAML Identity Provider as their authentication source. DAGs configured to use Active Directory for first-factor authentication are not affected.

Impact

This vulnerability could allow an attacker who is able to authenticate to the DAG and obtain a valid signature in a SAML response from an Identity Provider to specify a different username to a Service Provider than was originally used to authenticate. This could allow an attacker to impersonate other users when accessing applications already available to them through the DAG. If the impersonated username has a Duo bypass policy applied, then the attacker could potentially access any application federated by the DAG.

Affected Product(s)

Duo Authentication Gateway (DAG) version 1.5.9 and below

Solution

Duo recommends that all customers using Duo Access Gateway, but especially those who use the DAG with a SAML Identity Provider, upgrade to the latest version, 1.5.10, as soon as possible.

Vulnerability Metrics

Vulnerability Class: CWE-287: Improper Authentication
Remotely Exploitable: Yes
Authentication Required: Yes
Severity: High
CVSSv2 Overall Score: 1.7
CVSSv2 Group Scores: Base: 6.5, Temporal: 5.1
CVSSv2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C/CDP:MH/TD:L/CR:M/IR:M/AR:L

Timeline

2019-11-04

  • 08:14 ET - Duo becomes aware of a vulnerability in SimpleSAMLphp that potentially affects the DAG
  • 14:08 ET - Duo contacts the SimpleSAMLphp maintainers requesting additional details about the vulnerability

2019-11-05

  • 02:48 ET - Duo receives a response from the maintainers with additional detail regarding the vulnerability
  • 08:15 ET - Duo begins reviewing the issue to determine if the DAG is impacted
  • 10:15 ET - After analysis of the issue, Duo believes the DAG is likely affected and begins working on a new release containing the fix
  • 16:28 ET - Duo begins the build and test process for creating a release candidate of the DAG

2019-11-06

  • 08:37 ET - Duo is able to use a proof of concept exploit to confirm that the DAG release candidate build with the fix is not vulnerable
  • 12:00 ET - Duo releases DAG version 1.5.10 and makes it available to customers

2019-11-12

  • Duo distributes PSA to potentially impacted customers

References

Credits/Contact

Duo Security would like to thank the maintainers of SimpleSAMLphp for their help in remediating this issue.

If you have questions regarding this issue, please contact us at:

  • support@duosecurity.com, referencing "DUO-PSA-2019-002" in the subject
  • our phone line at +1(844) 386.6748. International customers can find our toll-free numbers here: https://duo.com/about/contact.

Or, reach out to your Customer Success Manager, as appropriate.