Duo Product Security Advisory

Advisory ID: DUO-PSA-2020-001
Publication Date: 2020-03-19
Revision Date: 2020-03-19
Status: Confirmed, Fixed
Document Revision: 1

Overview

Duo has identified and fixed an issue with Directory Sync where enrollment emails were sent to users regardless of whether the “Send enrollment emails to sync users” checkbox was checked in the Admin Panel. This issue could have allowed for users to enroll in Duo who were not intended to be enrolled via email at this time. This issue was identified on Tuesday, March 17th and a fix was deployed the same day.

Description

As part of the Directory Sync capability, Duo can be configured to automatically send enrollment link emails to imported users that do not have any enrolled authentication devices. On Tuesday, March 17, a customer identified that enrollment emails from Duo were being sent to unenrolled users following successful Directory Syncs even though they were not configured to do so. This issue occurred due to a bug in Directory Sync introduced during a recent deployment of Duo Admin Panel.

The code responsible for determining whether to send the enrollment emails failed to properly validate the status of the “Send enrollment emails to sync users” checkbox, which resulted in enrollment emails being sent to all synced users in the unenrolled state. This allows for users that received these emails to enroll devices in Duo regardless of whether the administrator had intended to enroll that particular user, or enroll that user via email.

Impact

Users synced via Directory Sync could have enrolled in Duo via email, regardless of whether the administrator had intended to enroll that user or enroll that user via email. This may have bypassed additional security controls customers have put in place for Duo deployments, including for users that are not typically enrolled via email.

Affected Product(s)

Directory Sync for Active Directory, Microsoft Entra ID, and OpenLDAP on the following deployments: DUO33, DUO50, DUO56, DUO58, DUO62, and DUO63.

Solution

Duo has deployed a fix for this issue as of Tuesday, March 17th, and invalidated the enrollment email links for users who may have received them in error on Wednesday, March 18th. Some users may have enrolled using these links before they were invalidated; therefore, Duo recommends that administrators for affected customers review any recent enrollments to ensure they are valid. Customers whose existing email management systems offer this capability may also choose to remove incorrectly-sent enrollment emails from end-users' inboxes.

The associated logs for recent enrollments on a deployment can be reviewed here: https://admin.duosecurity.com/logs?limit=25&page=1&is_enrollment=true&iname=portal&timeRange=2020-03-17T05:00:00.000Z~2020-03-19T00:30:00.000Z

Vulnerability Metrics

Vulnerability Class: CWE-288: Authentication Bypass Using an Alternate Path or Channel
Remotely Exploitable: Yes
Authentication Required: Yes
Severity: Medium
CVSSv2 Overall Score: 1.6
CVSSv2 Group Scores: Base: 4.9, Temporal: 4.3
CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:N/A:N/E:H/RL:OF/RC:C/CDP:ND/TD:L/CR:H/IR:ND/AR:ND

Timeline

2020-03-17

• 15:17 ET - Duo becomes aware of a customer report where erroneous enrollment emails are being sent after a Directory Sync is performed
• 15:33 ET - Duo engineering begins to triage the issue
• 16:35 ET - Duo updates status.duo.com to let our customers know there is an active incident
• 19:41 ET - Duo completes rolling out a fix for the issue to customers
• 20:47 ET - After monitoring deployments for further issues, Duo confirms the issue has been resolved.

2020-03-18

• 12:58 ET - Duo activates our internal PSIRT process
• 19:32 ET - Duo makes the decision to invalidate all enrollment links erroneously generated by this issue
• 20:29 ET - Duo invalidates all identified enrollment links that were erroneously generated by this issue

2020-03-19

• Duo distributes PSA to impacted customers

References

==========

• Synchronizing Users from Microsoft Entra ID: Enrollment Email - https://duo.com/docs/azuresync#enrollment-email
• Synchronizing Users from Active Directory: Enrollment Email - https://duo.com/docs/adsync#enrollment-email
• Synchronizing Users from OpenLDAP: Enrollment Email - https://duo.com/docs/ldapsync#enrollment-email
• CWE-288: Authentication Bypass Using an Alternate Path or Channel - https://cwe.mitre.org/data/definitions/288.html
• Incident Postmortem - https://status.duo.com/incidents/4t8xp2r0nxdg

Credits/Contact

=============== If you have questions regarding this issue, please contact us at:

• security@duosecurity.com, referencing "DUO-PSA-2020-001" in the subject
• our phone line at +1(844) 386.6748. International customers can find our toll-free numbers here: https://duo.com/about/contact.

Or, reach out to your Customer Success Manager, as appropriate.