Advisory ID: DUO-PSA-2021-001
Publication Date: 2021-04-15
Revision Date: 2021-04-15
Status: Confirmed, Fixed
Document Revision: 1
Duo Security has fixed an issue that could have allowed an attacker with primary credentials of another user to bypass second-factor authentication for that user. Customers are not required to take any actions to resolve this issue.
This issue was reported to Duo by external security researchers on Monday, December 14, 2020 and was fixed for all customers on Tuesday, December 15, 2020.
Upon comprehensive review of all available and applicable logs, Duo found no evidence of any customer impact stemming from this issue. Apart from verifying researcher testing, we identified one instance out of billions of authentication events where this issue may have been encountered, and, upon further investigation, have no indication this was a result of malicious activity.
Shaun Kammerling and Michael Kruger of Orange Cyberdefense's SensePost team disclosed an issue to Duo with the way session information is managed during two-factor authentication through the Duo Prompt. When a user authenticated with a second factor, the state representing that authentication was not tied to the current user’s session. Therefore, an attacker could reuse state information from a successful second factor authentication to bypass the two-factor authentication requirement of another user. This issue required an attacker to have possession of the victim’s primary credentials and have a Duo account on the same Duo deployment. A Duo deployment is a multitenant environment which can host many customers and contains the cloud services that power Duo products.
An attacker who had access to a victim’s primary credentials and a Duo user account on the same Duo deployment could bypass second-factor authentication and successfully authenticate to a Duo-protected application as the victim. Any Duo policies in place that restrict access would have still been enforced.
A fix that remediates this vulnerability has been deployed to Duo’s cloud service for all customers. No action is necessary for customers to resolve this issue.
Vulnerability Class: CWE-290: Authentication Bypass by Spoofing
Remotely Exploitable: Yes
Authentication Required: Yes
CVSSv3 Overall Score: 8.8
CVSSv3 Group Scores: Base: 8.1, Temporal: N/A
CVSSv3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/CR:H/IR:H/AR:X/MAV:N/MAC:L/MPR:L/MUI:N/MS:U/MC:H/MI:H/MA:X
Duo becomes aware of a potential 2FA bypass vulnerability.
Duo is able to reproduce and confirm the vulnerability.
Duo confirms root cause of the issue.
Duo confirms the scope of impact of the issue.
Duo tests a potential fix for the issue, and is able to confirm that it mitigates the vulnerability.
Duo begins rolling out the fix to deployments.
Duo completes rollout of the fix to all customers.
Duo begins log analysis.
Duo completes comprehensive analysis of billions of available and applicable authentication logs, including successful identification of all researcher activity.
Duo would like to thank Shaun Kammerling and Michael Kruger of Orange Cyberdefense's SensePost team for reporting this vulnerability, and for their partnership as we addressed this issue.
If you have questions regarding this issue, please contact us at:
Or, reach out to your Customer Success Manager, as appropriate.