Duo Product Security Advisory

Advisory ID: DUO-PSA-2020-002
Publication Date: 2020-04-28
Revision Date: 2020-04-28
Status: Confirmed, Fixed
Document Revision: 1

Overview

Duo Engineering has identified and fixed an issue with directory sync for on-premises Microsoft Active Directory, OpenLDAP, and Microsoft Entra ID related to access rights of fully authenticated users. As a result of this issue, users who had been manually placed in a group and who were later synced as part of a directory-synced group continued to be part of the manually-created group. A successful sync should have removed them from the manually-created group. This issue could have allowed access that was previously granted to a user via the manual group to inadvertently persist, only if it was different from access granted by their synced groups. The issue was first discovered by Duo and was also reported to us by a customer, prior to completion of a fix. For customers synchronizing with on-premises directories, a fix was deployed on April 3, 2020. A fix for Azure was deployed in a rolling release between April 13 and April 23, 2020. 

If you received this notification via email, Duo's analysis showed that you had at least one manually-created group whose permissions could affect users' security posture if they were not correctly removed from that group via a directory sync. Out of an abundance of caution, we directly notified all customers who met this criteria as of our analysis on April 8, 2020, to allow them to review their policies associated with manually-created groups. This is described below under “Solution.”

Description

Duo allows groups to be created and managed in one of two ways: groups can be created and edited manually, or by synchronizing group information from a directory. These options are designed to be mutually exclusive; in particular, a user managed by directory sync cannot be added to manually-created groups. In addition, if a manually-created user later becomes sync-managed, that user’s existing memberships in manually-created groups should (as stated in Duo’s documentation) be removed.

However, an issue was identified in which sync-managed users who were previously manually added to a manually-created group were not removed from these groups after a directory sync as expected. When functioning correctly, the sync should remove synced users from all manually-created Duo groups and place them in the synced groups.

Group membership permissions are evaluated for both synced groups and manually-created groups. If a user is a member of both a synced group and a manually-created group, their permissions will be evaluated for both groups, one after the other. The order by which group permissions is evaluated is configurable by Duo administrators, so for users affected by this issue, their manual group permissions may or may not have been evaluated before their synced group permissions.

We are not aware of any malicious activity resulting from this issue. Based on our analysis, it appears that this issue has been present in Microsoft Entra ID sync since November 2016. For on-premises Active Directory/OpenLDAP, the issue was introduced on March 22, 2020, but fixed for all customers on April 3, 2020.

Impact

Failure to remove users from manually-created groups could have resulted in a situation where some users who were previously granted access via a manually-created group may have had this access inadvertently persist if the permissions of the users' manually-created group(s) were different from those of their synced group(s).

Affected Product(s)

Directory sync for on-premises Microsoft Active Directory/OpenLDAP, and Microsoft Entra ID

Solution

Duo deployed a fix for this issue to all on-premises Microsoft Active Directory and OpenLDAP customers on April 3, 2020. A fix for Microsoft Entra ID customers was deployed in a rolling release between April 13 and April 23, 2020. The fix restores the original behavior where the users are correctly removed from manually-created groups when the sync is complete. In general, no additional action should be required from customers, as any previously-affected users should have been corrected by the sync process so long as a sync was able to successfully run. 

We also recommend that administrators visit https://admin.duosecurity.com/users/directorysync to confirm that their directory sync is working successfully so that these fixes can take full effect. Additional activity logs related to directory sync can be found at https://admin.duosecurity.com/logs/admin-actions

Vulnerability Metrics

Vulnerability Class: CWE-842: Placement of User into Incorrect Group
Remotely Exploitable: Yes
Authentication Required: Yes
Severity: Medium
CVSSv2 Overall Score: 5.5
CVSSv2 Group Scores: Base: 3.2, Temporal: 2.5
CVSSv2 Vector: AV:N/AC:H/Au:M/C:P/I:P/A:N/E:POC/RL:OF/RC:C/CDP:LM/TD:H/CR:H/IR:H/AR:ND

Timeline

03/22/2020

• 1:43 PM EDT - Duo Engineering identified a discrepancy between the group membership behaviors of directory syncs for on-premises Microsoft Active Directory, OpenLDAP, and Microsoft Entra ID sync

03/27/2020

• 12:48 AM EDT A customer using directory sync with on-premises Active Directory noticed the behavior in their account and reported the issue to Duo

04/01/2020

• 07:59 PM EDT - Duo Engineering becomes aware of the directory sync behavior for Microsoft Entra ID during internal testing 

04/02/2020

• 11:30 AM EDT -
  • Duo engineering begins to develop a fix for the issue
  • Duo begins analysis to determine potentially impacted customers
  • Duo activates our internal PSIRT process

04/03/2020

• 10:00 PM EDT - Duo completes rollout of fix for on-premises Active Directory/OpenLDAP 

04/09/2020

• 05:00 PM EDT - Duo completes the rollout of an additional fix for on-premises Active Directory/OpenLDAP that covers some edge cases for user synchronization

04/13/2020

• 11:00 AM EDT - Duo distributes PSA to impacted customers 

04/24/2020

• 05:54 AM EDT - Duo completes rollout of fix for Microsoft Entra ID

04/28/2020

• 11:00 AM EDT - Duo publishes the PSA

References

==========

• CWE-842: Placement of User into Incorrect Group - https://cwe.mitre.org/data/definitions/842.html 
• What happens when existing Duo users are synced with Azure, Active Directory, or OpenLDAP? - https://duo.com/docs/dirsync-faq#what-happens-when-existing-duo-users-are-synced-with-azure,-active-directory,-or-openldap?
• Synchronizing Users from Microsoft Entra ID - https://duo.com/docs/azuresync
• Synchronizing Users from Active Directory - https://duo.com/docs/adsync

Credits/Contact

===============

If you have questions regarding this issue, please contact us at:

• security@duosecurity.com, referencing "DUO-PSA-2020-002" in the subject
• our phone line at +1(844) 386.6748. International customers can find our toll-free numbers here: https://duo.com/about/contact