Advisory ID: DUO-PSA-2020-003
Publication Date: 2020-06-30
Revision Date: 2020-06-30
Status: Confirmed, Fixed
Document Revision: 2
Duo has identified and fixed an issue in the Duo Connect client that allows end-users to choose insecure configurations. If DuoConnect is incorrectly configured by the end-user via the ‘-relay’ switch to use “http://” rather than “https://”, then, under certain conditions, DuoConnect may send an authentication token to a Duo Network Gateway (DNG) instance over an unencrypted HTTP connection. An adversary could then use these tokens to bypass the DNG server and gain unauthenticated network access.
This issue was resolved in DuoConnect version 1.1.1 by enforcing HTTPS connections when communicating with the DNG server.
If you received this notification via email, Duo's analysis showed that you had at least one user use a DNG-SSH integration type for authentication in the last 90 days. See remediation steps below under "Solution."
The DuoConnect client enables users to establish SSH connections to hosts protected by a DNG instance. When a user initiates an SSH connection to a DNG-protected host for the first time using DuoConnect, the user’s browser is opened to a login screen in order to complete authentication determined by the contents of the '-relay' argument. If the ‘-relay’ is set to a URL beginning with "http://", then the browser will initially attempt to load the URL over an insecure HTTP connection, before being immediately redirected to HTTPS (in addition to standard redirect mechanisms, the DNG uses HTTP Strict Transport Security headers to enforce this).
After successfully authenticating to a DNG, DuoConnect stores an authentication token in a local system cache, so users do not have to complete this browser-based authentication workflow for every subsequent SSH connection. These tokens are valid for a configurable period of time, which defaults to 8 hours. If a user running DuoConnect already has a valid token, then instead of opening a web browser, DuoConnect directly contacts the DNG, again using the configured '-relay' value, and sends this token, as well as the intended SSH server hostname and port numbers. If the '-relay' argument begins with "http://", then this request will be sent over an insecure connection, and could be exposed to an attacker who is sniffing the traffic on the same network.
The DNG authentication tokens that may be exposed during SSH relay may be used to gain network-level access to the servers and ports protected by that given relay host. The DNG provides network-level access only to the protected SSH servers. It does not interact with the independent SSH authentication and encryption. An attacker cannot use a stolen token on its own to authenticate against a DNG-protected SSH server.
An adversary who is able to monitor network traffic between an improperly-configured DuoConnect client and a DNG instance may be able to capture authentication tokens. These tokens could then be used to bypass DNG authentication, gaining network-level access to SSH servers that are protected by a DNG but they cannot be used on their own to authenticate against a DNG-protected SSH server.
This issue affects DuoConnect versions on all supported platforms before version 1.1.1.
The Duo Product team has fixed the issue by updating DuoConnect to version 1.1.1, which rejects relay configurations that do not specify an HTTPS-based relay.
A DNG instance will automatically instruct users to install the latest version of DuoConnect. Duo administrators do not need to perform any manual updates unless their DNG is not able to connect to the internet to download the new version of the software. In that case, administrators should instruct end-users to download the latest DuoConnect version directly using the links below.
Steps required for end-user remediation:
The signature of DuoConnect installer files can be verified at https://duo.com/docs/checksums.
End-users will need to update their DuoConnect SSH configuration if they receive the error message shown below:
Error: Invalid URL: relay scheme http://server-ssh.example.com invalid: must be https
Update the SSH configuration: Locate the http relay in the SSH configuration e.g. “ProxyCommand duoconnect -host=%h:%p -relay=http://server-ssh.example.com” Ensure the relay uses ‘https://’, and not ‘http://’
The SSH configuration for *nix and macOS operating systems can be located at ~/.ssh/config. The SSH configuration for Windows operating systems can most commonly be found in the user directory C:\Users\username.ssh.
Additionally, you can refer to the “Configure SSH” section in the DuoConnect guide to learn more about steps for SSH configuration should you need further guidance.
Vulnerability Class: CWE-319: Cleartext Transmission of Sensitive Information
Remotely Exploitable: No
Authentication Required: No
CVSSv3.1 Overall Score: 2.8
CVSSv3.1 Group Scores: Base: 4.8, Temporal: 4.5
CVSSv3.1 Vector: AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C/CR:L/IR:X/AR:X/MAV:A/MAC:H/MPR:N/MUI:R/MS:U/MC:H/MI:N/MA:N
If you have questions regarding this issue, please contact us at:
Or, reach out to your Customer Success Manager, as appropriate.