Advisory ID: DUO-PSA-2020-001
Publication Date: 2020-03-19
Revision Date: 2020-03-19
Status: Confirmed, Fixed
Document Revision: 1
Duo has identified and fixed an issue with Directory Sync where enrollment emails were sent to users regardless of whether the “Send enrollment emails to sync users” checkbox was checked in the Admin Panel. This issue could have allowed for users to enroll in Duo who were not intended to be enrolled via email at this time. This issue was identified on Tuesday, March 17th and a fix was deployed the same day.
As part of the Directory Sync capability, Duo can be configured to automatically send enrollment link emails to imported users that do not have any enrolled authentication devices. On Tuesday, March 17, a customer identified that enrollment emails from Duo were being sent to unenrolled users following successful Directory Syncs even though they were not configured to do so. This issue occurred due to a bug in Directory Sync introduced during a recent deployment of Duo Admin Panel.
The code responsible for determining whether to send the enrollment emails failed to properly validate the status of the “Send enrollment emails to sync users” checkbox, which resulted in enrollment emails being sent to all synced users in the unenrolled state. This allows for users that received these emails to enroll devices in Duo regardless of whether the administrator had intended to enroll that particular user, or enroll that user via email.
Users synced via Directory Sync could have enrolled in Duo via email, regardless of whether the administrator had intended to enroll that user or enroll that user via email. This may have bypassed additional security controls customers have put in place for Duo deployments, including for users that are not typically enrolled via email.
Directory Sync for Microsoft Entra ID, Microsoft Entra ID, and OpenLDAP on the following deployments: DUO33, DUO50, DUO56, DUO58, DUO62, and DUO63.
Duo has deployed a fix for this issue as of Tuesday, March 17th, and invalidated the enrollment email links for users who may have received them in error on Wednesday, March 18th. Some users may have enrolled using these links before they were invalidated; therefore, Duo recommends that administrators for affected customers review any recent enrollments to ensure they are valid. Customers whose existing email management systems offer this capability may also choose to remove incorrectly-sent enrollment emails from end-users' inboxes.
The associated logs for recent enrollments on a deployment can be reviewed here: https://admin.duosecurity.com/logs?limit=25&page=1&is_enrollment=true&iname=portal&timeRange=2020-03-17T05:00:00.000Z~2020-03-19T00:30:00.000Z
Vulnerability Class: CWE-288: Authentication Bypass Using an Alternate Path or Channel
Remotely Exploitable: Yes
Authentication Required: Yes
Severity: Medium
CVSSv2 Overall Score: 1.6
CVSSv2 Group Scores: Base: 4.9, Temporal: 4.3
CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:N/A:N/E:H/RL:OF/RC:C/CDP:ND/TD:L/CR:H/IR:ND/AR:ND
==========
=============== If you have questions regarding this issue, please contact us at:
Or, reach out to your Customer Success Manager, as appropriate.