Skip navigation

Duo Product Security Advisory

Advisory ID: DUO-PSA-2020-004
CVE: CVE-2020-3483
Publication Date: 2020-08-13
Revision Date: 2020-08-13
Status: Confirmed, Fixed
Document Revision: 1

Overview

Duo has identified and fixed an issue with the Duo Network Gateway (DNG) product in which some customer-provided SSL certificates and private keys were not excluded from logging. This issue resulted in certificate and private key information being written out in plain-text to local files on the DNG host. Any private keys logged in this way could be viewed by those with access to the DNG host operating system without any need for reversing encrypted values or similar techniques. An attacker that gained access to the DNG logs and with the ability to intercept and manipulate network traffic between a user and the DNG, could decrypt and manipulate SSL/TLS connections to the DNG and to the protected applications behind it.

If you received this notification via email, Duo’s analysis shows that you have at some point used the DNG software to connect to Duo’s services. We are notifying all customers who used the DNG to alert them to this issue so that they can review their logs. Please see the Solution section below for recommendations on performing the necessary review and remediation of your environment.

This issue was discovered internally by a member of the Duo Engineering team.

Description

The Duo Network Gateway (DNG) requires customers to configure a separate SSL certificate for each protected application. If customers provided their own certificate and uploaded it to the DNG when configuring a DNG-protected application, the values for the certificate and matching private key were logged in plain-text. Certificates and private keys generated automatically using Let's Encrypt are not logged.

This issue was traced to validation logic in a form field used as part of the certificate upload process that did not correctly exclude the certificate and key values from the logging it performed. This resulted in the data being written out to the specified logging location. By default, these logs are written out to a local file inside the DNG Docker container.

Impact

This issue is present in all DNG versions since 1.3.3. However, the certificate and key values are only written to the log file when the key information is uploaded by an administrator when first creating a DNG-protected application, or when modifying the certificates or keys later through an additional upload.

If the private key is exposed to an attacker, the attacker could perform several types of attacks. One such attack would give the attacker the ability to decrypt network traffic, allowing manipulation of the requests and responses to the DNG server.

If a customer is no longer using the DNG, there could still be a risk of compromise if the certificate and key were previously exposed in plain-text logs or in other systems used for logging. A certificate and private key that were exposed to an attacker could also be used outside the DNG context to intercept traffic sent to any service for which that certificate was legitimate. For example, exposure of a wildcard certificate is generally a higher risk issue than a certificate that was only valid for the DNG.

Affected Product(s)

Duo Network Gateway (DNG), versions 1.3.3 through 1.5.7

Solution

To prevent this issue, DNG administrators should upgrade to the latest version, 1.5.8, by following the upgrade instructions on the DNG page on Duo.com: https://duo.com/docs/dng#upgrading-duo-network-gateway

Customers should search all possible locations where logs have been written to determine if certificate and/or key information has been stored in logs. Note that DNG logs are overwritten each time the DNG is restarted, potentially overwriting any logs containing this sensitive information unless they had been previously exported from the Docker container.

By default, the DNG logs are written locally at the path "/var/lib/docker/containers/<container hash>/<container hash>-json.log". The container hash can be found using the “docker ps” command and locating the container in the resulting list.

If records are found, perform the following steps to invalidate the certificate:

  • Retire and revoke the affected certificate currently in use on the DNG instance.
  • Generate a new key and use that to generate a new certificate.

In order to locate records that may contain this information, use the following search string:
host_key": ["---

Example search commands:
fgrep 'host_key": ["---' dng.log
grep 'host_key": \ ["---' dng.log

Vulnerability Metrics

Vulnerability Class: CWE-256: Unprotected Storage of Credentials
Remotely Exploitable: No
Authentication Required: Partial
Severity: Critical
CVSSv3 Overall Score: 8.1
CVSSv3 Group Scores: Base: 7.1, Temporal: 7.1
CVSSv3 Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:H/RL:U/RC:C/CR:H/IR:H/AR:X/MAV:L/MAC:L/MPR:L/MUI:N/MS:U/MC:H/MI:H/MA:X

Timeline

07/08/2020

16:30 ET
A Duo engineer reported the issue to Duo PSIRT, notifying us about the sensitive values potentially being logged.

16:40 ET
Duo acknowledges receipt of the report and begins an investigation.

17:35 ET
A fix for the issue is created and submitted to version control for initial evaluation.

07/13/2020

13:10 ET
Duo begins analysis to determine potentially impacted customers and remediation steps for them to follow.

Duo activates our internal PSIRT process.

07/15/2020

Duo completes an impact analysis for the list of potentially affected customers to notify.

07/16/2020

PSA distributed to potentially impacted customers.
Duo releases a new version of Duo Network Gateway containing the fix (1.5.8).

08/13/2020

Duo posts PSA publicly to the PSA section of their website.

References

Credits/Contact

If you have questions regarding this issue, please contact us at:

  • support@duosecurity.com, referencing "DUO-PSA-2020-004" in the subject
  • our phone line at +1(844) 386.6748. International customers can find our toll-free numbers here: https://duo.com/about/contact.

Or, reach out to your Customer Success Manager, as appropriate.