<![CDATA[Duo Product Security Advisories]]> https://duo.com/ Duo's Trusted Access platform verifies the identity of your users with two-factor authentication and security health of their devices before they connect to the apps you want them to access. Thu, 12 Dec 2019 08:30:00 -0500 en-us info@duosecurity.com (Amy Vazquez) Copyright 2019 3600 <![CDATA[DUO-PSA-2019-002: Duo Product Security Advisory]]> https://duo.com/labs/psa/duo-psa-2019-002 https://duo.com/labs/psa/duo-psa-2019-002 Tue, 12 Nov 2019 10:35:00 -0500

Duo Product Security Advisory

Advisory ID: DUO-PSA-2019-002
CVE: CVE-2019-3465
Publication Date: 2019-11-12
Revision Date: 2019-11-12
Status: Confirmed, Fixed
Document Revision: 1

Overview

A third-party software library, which the Duo Access Gateway (DAG) uses to enable SAML as a first-factor authentication source, contains a vulnerability that could allow an attacker to impersonate a user when authenticating to an application that is federated through the Duo Access Gateway. Version 1.5.10 of the Duo Access Gateway corrects this issue.

Description

This vulnerability was identified during an independent third-party security audit of SimpleSAMLphp and was reported to the maintainers. An issue was identified in the way that xmlseclib, a library used by SimpleSAMLphp to perform XML signing and encryption operations, validates the SignedInfo element of a SAML response.

Specifically, it was possible for an attacker to include data within a SAML response that, while not actually signed, would be interpreted by SimpleSAMLphp as signed by an Identity Provider (IdP). This issue is only applicable to Duo Access Gateways that are configured to use a SAML Identity Provider as their authentication source. DAGs configured to use Active Directory for first-factor authentication are not affected.

Impact

This vulnerability could allow an attacker who is able to authenticate to the DAG and obtain a valid signature in a SAML response from an Identity Provider to specify a different username to a Service Provider than was originally used to authenticate. This could allow an attacker to impersonate other users when accessing applications already available to them through the DAG. If the impersonated username has a Duo bypass policy applied, then the attacker could potentially access any application federated by the DAG.

Affected Product(s)

Duo Authentication Gateway (DAG) version 1.5.9 and below

Solution

Duo recommends that all customers using Duo Access Gateway, but especially those who use the DAG with a SAML Identity Provider, upgrade to the latest version, 1.5.10, as soon as possible.

Vulnerability Metrics

Vulnerability Class: CWE-287: Improper Authentication
Remotely Exploitable: Yes
Authentication Required: Yes
Severity: High
CVSSv2 Overall Score: 1.7
CVSSv2 Group Scores: Base: 6.5, Temporal: 5.1
CVSSv2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C/CDP:MH/TD:L/CR:M/IR:M/AR:L

Timeline

2019-11-04

  • 08:14 ET - Duo becomes aware of a vulnerability in SimpleSAMLphp that potentially affects the DAG
  • 14:08 ET - Duo contacts the SimpleSAMLphp maintainers requesting additional details about the vulnerability

2019-11-05

  • 02:48 ET - Duo receives a response from the maintainers with additional detail regarding the vulnerability
  • 08:15 ET - Duo begins reviewing the issue to determine if the DAG is impacted
  • 10:15 ET - After analysis of the issue, Duo believes the DAG is likely affected and begins working on a new release containing the fix
  • 16:28 ET - Duo begins the build and test process for creating a release candidate of the DAG

2019-11-06

  • 08:37 ET - Duo is able to use a proof of concept exploit to confirm that the DAG release candidate build with the fix is not vulnerable
  • 12:00 ET - Duo releases DAG version 1.5.10 and makes it available to customers

2019-11-12

  • Duo distributes PSA to potentially impacted customers

References

Credits/Contact

Duo Security would like to thank the maintainers of SimpleSAMLphp for their help in remediating this issue.

If you have questions regarding this issue, please contact us at:

  • support@duosecurity.com, referencing "DUO-PSA-2019-002" in the subject
  • our phone line at +1(844) 386.6748. International customers can find our toll-free numbers here: https://duo.com/about/contact.

Or, reach out to your Customer Success Manager, as appropriate.

]]>
<![CDATA[DUO-PSA-2019-001: Duo Product Security Advisory]]> https://duo.com/labs/psa/duo-psa-2019-001 https://duo.com/labs/psa/duo-psa-2019-001 Tue, 16 Apr 2019 08:00:00 -0400

Duo Product Security Advisory

Advisory ID: DUO-PSA-2019-001
Publication Date: 2019-04-16
Revision Date: 2019-04-16
Status: Confirmed, Fixed
Document Revision: 1

Overview

A Duo customer has identified an issue where Duo Authentication for Windows Logon could incorrectly enforce "failmode" following a manual, post-installation change to its offline configuration. This flaw would make it such that a system configured to fail securely (i.e. fail closed) would instead fail open.

Updating to version 4.0.5 of the software fully resolves this potential enforcement issue.

Description

A defect with Duo Authentication for Windows Logon (WinLogon) could allow an incorrect enforcement of failmode configuration under a specific circumstance. In this situation, the system would react with a continuous "fail open" state when unable to reach Duo’s service.

This issue is restricted to those that use WinLogon version 4.0.0 through 4.0.4, and have manually configured the “OfflineAvailable” and “FailOpen” keys to simultaneously disable both by setting them to a value of “0” (zero). The “FailOpen” key is only set manually by a system administrator and is not set by any other part of the WinLogon functionality.

Impact

When using vulnerable versions of WinLogon, a combination of post-installation configuration options would make it so that a system configured to fail securely (i.e. fail closed) would not respect this configuration and instead fail open.

Affected Product(s)

Duo Authentication for Windows Logon, versions 4.0.0 - 4.0.4

Solution

Duo has released a new version, 4.0.5, of the WinLogon software that properly enforces the failmode in previously impacted configurations. Impacted customers are advised to immediately update to this new version.

Vulnerability Metrics

Vulnerability Class: CWE-284: Improper Access Control
Remotely Exploitable: Yes
Authentication Required: Partial
Severity: Medium
CVSSv2 Overall Score: 4.2
CVSSv2 Group Scores: Base: 5.0, Temporal: 3.9
CVSSv2 Vector: AV:L/AC:M/Au:S/C:P/I:C/A:N/E:POC/RL:OF/RC:C/CDP:L/TD:M/CR:L/IR:H/AR:L

Timeline

2019-04-08

  • Duo receives a report for a security concern in the WinLogon software from a customer

2019-04-09

  • 10:20 ET - Duo received logs from the customer to provide further details of the concern
  • 10:44 ET - Duo acknowledges receipt of the report and begins an investigation
  • 11:43 ET - Duo verified that the report is accurate and determines the root cause
  • 15:29 ET - Duo begins development of a patch to remediate the identified software defect

2019-04-10

  • 10:51 ET - Duo implements a fix for the issue and performs quality assurance testing
  • 11:42 ET - Duo begins analysis to determine potentially impacted customers

2019-04-11

  • Duo releases the updated version (4.0.5) of WinLogon with the fix included

2019-04-12

  • Duo completes an impact analysis for the list of potentially affected customers to notify

2019-04-16

  • PSA distributed to potentially impacted customers

References

Credits/Contact

Duo Security would like to thank National Retail Properties for their security report that led to this fix.

If you have questions regarding this issue, please contact us at:

  • support@duosecurity.com, referencing "DUO-PSA-2019-001" in the subject
  • our phone line at +1(844) 386.6748.

International customers can find our toll-free numbers here: https://duo.com/about/contact.

Or, reach out to your Customer Success Manager, as appropriate.

]]>
<![CDATA[DUO-PSA-2018-004: Duo Product Security Advisory]]> https://duo.com/labs/psa/duo-psa-2018-004 https://duo.com/labs/psa/duo-psa-2018-004 Tue, 18 Dec 2018 00:00:00 -0500

Duo Product Security Advisory

Advisory ID: DUO-PSA-2018-004
Publication Date: 2018-12-18
Revision Date: 2018-12-18
Status: Confirmed, Fixed
Document Revision: 1

Overview

Duo has identified and fixed an issue with the Duo Access Gateway (DAG). This issue could have allowed for data exposure on the DAG's filesystem for certain limited use cases as described below. Specifically, a user's primary authentication credentials could have been temporarily stored on the DAG's server -- not externally or accessible by Duo. This issue was discovered internally while working on unrelated product features. Upon discovery, Duo developed a new version of DAG that patches the issue and deletes any potentially exposed information from the filesystem.

Description

A Duo Security employee identified a bug resulting in the exposure of user's primary authentication credentials. This exposure was limited to administrators with access to the DAG's filesystem. This bug, which affected both the Linux (Docker) and Windows versions of DAG, was further limited to deployments of the DAG that meet the following criteria: Office365 was the SAML application being authenticated to, the Basic Authentication setting was set to disabled, and the DAG was running version 1.5.0 - 1.5.5, inclusively.

Impact

This issue may have resulted in exposure of users' primary authentication credentials on the DAG's filesystem. This information could have been further exposed via backup or replication.

Duo does not have the ability to remotely access these files as they are held within the customer's environment. Moreover, these credentials were not exposed outside of the users' organizations.

Affected Product(s)

Duo Access Gateway (DAG) 1.5.0 - 1.5.5

Solution

In order to resolve this issue, customers must update their DAG deployments to version 1.5.6. This will patch the issue and delete any potentially exposed information from the filesystem.

Administrators should also consider locations this information may have been copied to -- for example in a system backup or a failover machine. Due to the potential for user credential exposure on the DAG's filesystem, organizations that believe this information may have been duplicated or accessed should consider having users reset their passwords out of caution.

Vulnerability Metrics

Vulnerability Class: CWE-313: Cleartext Storage in a File or on Disk
Remotely Exploitable: [No]
Authentication Required: [Partial]
Severity: [Low]
CVSSv2 Overall Score: 0.9
CVSSv2 Group Scores: Base: 3.7, Temporal: 2.7
CVSSv2 Vector: AV:L/AC:H/Au:M/C:C/I:N/A:N/E:U/RL:OF/RC:C/CDP:L/TD:L/CR:M/IR:ND/AR:ND

Timeline

2018-12-10

  • 11:45 ET - Duo identifies a bug that could store user credentials on the DAG's filesystem.
  • 14:15 ET - Duo narrows the scope of the issue and determines a remediation path.

2018-12-11

  • Duo compiles a list of potentially affected customers and begins patch creation.

2018-12-12

  • Duo verifies a fix and begins the build & test process for a new DAG release.

2018-12-14

  • Duo completes the build & quality assurance testing for a new DAG release with security fixes.

2018-12-18

  • Duo distributes the PSA to potentially affected customers and releases DAG version 1.5.6.

References

Credits/Contact

If you have questions regarding this issue, please contact us at:

  • support@duosecurity.com, referencing "DUO-PSA-2018-004" in the subject
  • our phone line at +1(844)386.6748. International customers can find our toll-free numbers here: https://duo.com/about/contact.
]]>
<![CDATA[DUO-PSA-2018-003: Duo Product Security Advisory]]> https://duo.com/labs/psa/duo-psa-2018-003 https://duo.com/labs/psa/duo-psa-2018-003 Thu, 31 May 2018 00:00:00 -0400

Duo Product Security Advisory

Advisory ID: DUO-PSA-2018-003
Publication Date: 2018-05-31
Revision Date: 2018-05-31
Status: Confirmed, Fixed
Document Revision: 1

Overview

Duo has identified and fixed an issue with our documentation for the Duo Authentication Proxy integration with VMware Horizon View. The previously recommended configuration could allow a malicious user who had separately compromised a user's primary authentication credentials to gain access without secondary authentication. This issue has since been resolved in our official documentation.

Description

A Duo Security employee identified a secondary authentication bypass condition in the previous documentation (available until 2018-05-22) when the Duo Authentication Proxy performs secondary authentication and VMware Horizon View handles primary authentication independently. Because VMware Horizon View's implementation prompts secondary authentication before primary authentication, this could have allowed a malicious user to leverage a different user's primary credentials after successfully passing secondary authentication for their own account.

Impact

When configuring VMware Horizon View and the Duo Authentication Proxy with [duo_only_client], there is no relationship between the user who successfully performed a second-factor authentication with Duo and the user who submits their username and password. This configuration could have potentially allowed a malicious user to bypass a targeted user's secondary authentication by using their own and then submitting the target user's primary credentials.

Affected Product(s)

Duo Authentication Proxy (VMware Horizon View Integration)

Solution

In order to resolve this issue, we advise our customers who are using the VMware Horizon View integration to remove the [duo_only_client] section and configure the [ad_client] section in Duo Authentication Proxy configuration. Customers must also make sure to enable both "Enforce 2-factor and Windows user name matching" and "Use the same username and password for RADIUS and Windows authentication" in VMware Horizon View.

As a result, the Duo Authentication Proxy will require correct primary authentication credentials before triggering secondary authentication to make sure that the primary and secondary authentication credentials match. This configuration also ensures that VMware Horizon View will not allow a user to enter different login credentials during the primary authentication. Recommended main and alternate configurations can be found here:
- https://duo.com/docs/vmwareview
- https://duo.com/docs/vmwareview-alt

Please note that if you were using [duo_only_client] prior, the AD password reset feature with VMware Horizon View will no longer work with the updated [ad_client] configuration.

Vulnerability Metrics

Vulnerability Class: CWE-288: Authentication Bypass Using an Alternate Path or Channel
Remotely Exploitable: [Yes]
Authentication Required: [Partial]
Severity: [Medium]
CVSSv2 Overall Score: 6.0
CVSSv2 Group Scores: Base: 6.3, Temporal: 6.0
CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:N/A:N/E:F/RL:U/RC:C

Timeline

2018-05-15

  • A Duo employee identifies a potential security issue while troubleshooting a customer concern.

2018-05-16

  • Duo verifies the security issue exists and investigates the root cause of the problem.

2018-05-17

  • Duo performs internal testing to determine an appropriate remediation strategy.
  • Duo updates published documentation with an intermediate mitigation for the issue.

2018-05-18

  • Duo gathers more information on this issue through additional analysis & testing.

2018-05-22

  • Duo updates documentation with the final version of needed configuration changes.

2018-05-31

  • PSA is distributed to impacted customers to provide awareness of this documentation change.

References



Credits/Contact

If you have questions regarding this issue, please contact us at:

  • support@duosecurity.com, referencing "DUO-PSA-2018-003" in the subject
  • our phone line at +1(844)386.6748. International customers can find our toll-free numbers here: https://duo.com/about/contact.
]]>
<![CDATA[DUO-PSA-2018-002: Duo Product Security Advisory]]> https://duo.com/labs/psa/duo-psa-2018-002 https://duo.com/labs/psa/duo-psa-2018-002 Wed, 23 May 2018 00:00:00 -0400

Duo Product Security Advisory

Advisory ID: DUO-PSA-2018-002
Publication Date: 2018-05-23
Revision Date: 2018-05-23
Status: Confirmed, Fixed
Document Revision: 1

Overview

Duo has identified and fixed an issue with the Duo administrative panel. This issue could have allowed for a second-factor bypass of administrative logins. This issue was completely service-side and immediately resolved upon discovery of the flaw.

Description

A Duo Security employee identified a bypass condition for administrative logins by submitting specially crafted passcodes as a second factor of authentication. This issue was only applicable to administrative logins.

Impact

An administrative login for an account could have had its second factor bypassed if an attacker first acquired a valid set of primary authentication credentials. Duo Security has no knowledge of this issue being abused. Duo Security was able to remediate this issue within three hours of initial discovery by a Duo employee.

Affected Product(s)

Duo’s Administrative Panel

Solution

This issue was resolved internally through an immediate security fix applied to our cloud service deployments for all customers. No action was required by customers to have this fix applied to their account.

Duo Security conducted thorough log analysis and, from the available log data, found zero indicators that this issue had been used to attack customer accounts. However, customers may additionally choose to review their own accounts for suspicious activity by reviewing the Administrator Actions log in the administrative panel.

Vulnerability Metrics

Vulnerability Class: CWE-287: Improper Authentication
Remotely Exploitable: [Yes]
Authentication Required: [Partial]
Severity: [Medium]
CVSSv2 Overall Score: 5.7
CVSSv2 Group Scores: Base: 6.5, Temporal: 5.7
CVSSv2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:H/RL:OF/RC:C

Timeline

2018-05-17

  • 15:00 ET - Duo identifies a second-factor bypass in the Duo administrative panel.
  • 16:35 ET - Duo verifies a fix for the root cause of the issue and begins a roll-out of the fix.
  • 17:35 ET - All Duo customer deployments have received the remediation for this issue.

2018-05-21

  • Internal log analysis is conducted, and identifies no indications that this issue had been exploited.

2018-05-23

  • PSA is distributed to potentially impacted customers to provide awareness of this resolved issue.

References

Credits/Contact

If you have questions regarding this issue, please contact us at:

  • support@duosecurity.com, referencing "DUO-PSA-2018-002" in the subject
  • our phone line at +1(844)386.6748. International customers can find our toll-free numbers here: https://duo.com/about/contact.
]]>
<![CDATA[DUO-PSA-2018-001: Duo Product Security Advisory]]> https://duo.com/labs/psa/duo-psa-2018-001 https://duo.com/labs/psa/duo-psa-2018-001 Tue, 06 Mar 2018 00:00:00 -0500

Duo Product Security Advisory

Advisory ID: DUO-PSA-2018-001
Publication Date: 2018-03-06
Revision Date: 2018-03-06
Status: Confirmed, Fixed
Document Revision: 1

Overview

Duo has identified and fixed an issue with our public documentation on the Duo Unix integration. The suggested Pluggable Authentication Module (PAM) stack for the AIX operating system contained a logic bug that could allow for attackers to bypass secondary authentication. An attacker that had separately compromised a user's primary authentication credentials could then gain access without secondary authentication.

This issue is not a software flaw in Duo Unix, and does not require Duo Unix software updates. Applying the relevant configuration changes should be sufficient to remediate this issue.

Description

To protect the 'su' and 'sshd' Unix programs, Duo previously (until 2018-02-26) recommended including the following PAM configuration for the AIX operating system:

auth requisite pam_aix
auth sufficient /usr/lib/security/pam_duo.so

This would attempt primary authentication via the pam_aix PAM module and fail immediately if that was unsuccessful. Then, if primary authentication was successful, it would attempt 2FA via the pam_duo module.

The error is that the 'sufficient' PAM control flag does not return an authentication failure if that particular PAM module fails. Meaning, if the primary authentication was successful then PAM would be primed with a 'success' result, and would return that regardless of what pam_duo returned.

Impact

Configuring Duo Unix with the previously mentioned faulty PAM configuration causes Duo Unix to not enforce 2FA. Administrators should update their PAM configuration as soon as possible.

Affected Product(s)

Duo Unix, when configured for AIX systems following Duo's documented PAM configuration prior to 2018-02-26.

Solution

Changing the PAM control flag to 'required' will fix the issue:

auth requisite pam_aix
auth required /usr/lib/security/pam_duo.so

The complete recommended PAM configuration can be found here: https://duo.com/docs/duounix#pam-examples

Note that no changes to Duo Unix itself are required.

Vulnerability Metrics

Vulnerability Class: CWE-592: Authentication Bypass Issues
Remotely Exploitable: [Yes]
Authentication Required: [Partial]
Severity: [High]
CVSSv2 Overall Score: 5.7
CVSSv2 Group Scores: Base: 6.5, Temporal: 5.7
CVSSv2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:H/RL:OF/RC:C

Timeline

2018-02-23

  • Duo identifies a potential documentation error for Duo Unix on AIX
  • Duo confirms that the posted documentation won't properly secure PAM on AIX

2018-02-26

  • Duo begins testing to understand root cause of PAM configuration issue
  • Duo identifies an appropriate fix and performs additional testing
  • duo.com is updated with fixed documentation to prevent new PAM issues

2018-03-06

  • PSA is distributed to potentially impacted customers using Duo Unix on AIX

References

Credits/Contact

If you have questions regarding this issue, please contact us at:

  • support@duosecurity.com, referencing "DUO-PSA-2018-001" in the subject
  • our phone line at +1(844)386.6748. International customers can find our toll-free numbers here: https://duo.com/about/contact.

Or, reach out to your Customer Success Manager, as appropriate.

]]>
<![CDATA[DUO-PSA-2017-003: Duo Product Security Advisory]]> https://duo.com/labs/psa/duo-psa-2017-003 https://duo.com/labs/psa/duo-psa-2017-003 Tue, 27 Feb 2018 00:00:00 -0500

Duo Product Security Advisory

Advisory ID: DUO-PSA-2017-003
Publication Date: 2018-02-27
Revision Date: 2018-02-27
Status: Confirmed, Fixed
Document Revision: 1

Overview

Duo Security has identified a security flaw in a third-party library used in the Duo Network Gateway (DNG) which, under certain configurations, could allow for a bypass of the DNG's SAML first factor of authentication.

Description

Duo has discovered an implementation flaw in the open-source library 'python-saml' (CVE-2017-11427) that, under certain conditions, could allow an attacker with authenticated access to a SAML Identity Provider (IdP) to bypass the first factor of authentication for a different user.

This issue is due to an inconsistency of XML DOM traversal APIs and their handling of comment nodes. Comment nodes should have no effect - and indeed, due to the canonicalization of XML prior to signature verification, inserting an XML comment into a SAML message does not invalidate its signature. However, the 'python-saml' code makes incorrect use of a DOM-traversal API, such that it fails to extract the full inner text of an XML element containing a comment. Instead, all the text after the comment is lost.

To exploit this issue, an attacker inserts XML comments into select areas of the SAML assertions before passing them along to the DNG. Once the DNG validates the signature and extracts the user's identifier, only part of the user's identifier is recovered. In cases where an attacker's user identifier (e.g. john_doe) can be truncated to become a victim's user identifier (e.g. john), the attacker can trick the DNG into authenticating as the victim.

Impact

Attackers who have the ability to authenticate as a user may be able to bypass the first factor of authentication for a different user.

Note that, unless the attacker can separately bypass 2FA, this attack would not result in a full bypass of user authentication.

Affected Product(s)

This issue affects DNG versions before version 1.2.10. DNG configurations could be at greater risk, due to increased attacker control over the user being bypassed, if they either:

  • Have "Username Normalization" enabled for the DNG integration. (Username Normalization is enabled by default)
  • Do not have a domain specified for email identifiers via the "Enforced Email Domain" feature. (No domain is specified by default)

Solution

The issue has been resolved through a patch to the Duo Network Gateway. Please update to DNG version 1.2.10+ using the instructions covered at https://duo.com/docs/dng.

You can check the version of your Duo Network Gateway by following the instructions at https://help.duo.com/s/article/4151.

Vulnerability Metrics

Vulnerability Class: CWE-287: Improper Authentication
Remotely Exploitable: Yes
Authentication Required: Partial
Severity: Medium
CVSSv2 Overall Score: 5.1
CVSSv2 Group Scores: Base: 6.3, Temporal: 5.1, Environmental: 5.1
CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:N/A:N/E:POC/RL:U/RC:UC/CDP:ND/TD:ND/CR:M/IR:L/AR:L

References

Timeline

2017-12-11

  • During an internal application security assessment on the python-saml library, Duo determines that a security issue exists that may have serious implications.
  • Duo conducts an investigation of products using this library and determines that the Duo Network Gateway (DNG) application is impacted in its usage of this library.
  • After understanding the root cause of the issue in python-saml, Duo investigates whether similar implementations within other SAML-related libraries & software may suffer from this issue.

2017-12-14

  • Additional analysis of SAML implementations identifies three other vendors impacted by related bugs.

2017-12-18

  • Having confirmed this vulnerability class applies across multiple vendors, Duo contacts CERT/CC to coordinate disclosure of all related issues.

2017-12-19

  • To ensure customers will be immediately protected from this vulnerability, Duo releases a new version of the DNG with a fix.

2017-12-20

  • Impacted customers are made aware that a security issue in the DNG requires their action to update their installations. However, Duo does not disclose technical details around the issue at this time, and customers are instead informed Duo is coordinating with CERT/CC due to other parties being at risk to similar issues in their own software & library usage.
  • CERT/CC acknowledges receipt of issues from Duo and replies back with initial questions.

2017-12-22

  • Duo provides CERT/CC with answers to questions and additional information as required.

2018-01-02 to 2018-01-09

  • Additional communication between Duo and CERT/CC occurs to address questions.

2018-01-09

  • CERT/CC & Duo agree upon 02/27/2018 as a coordinated public disclosure date.

2018-01-24

  • CERT/CC provides initial contact to impacted vendors after internal analysis.

2018-01-25

  • Vendors respond back to CERT/CC and begin internal triage & remediation processes.
  • Communication occurs with CERT/CC about additional issues related to this research.

2018-01-29

  • Additional vendors are identified as possibly impacted and CERT/CC contacts them.

2018-02-01

  • CVE numbers are reserved for each vendor's impacted software found during research.

2018-02-06

  • CERT/CC provides a draft of their technical note for review by Duo.
  • Duo acknowledges and approves the draft of the CERT/CC technical note.

2018-02-19

  • Duo follows up with CERT/CC asking for updates to vendor report/response timelines.

2018-02-20

  • CERT/CC responds to Duo's request with a high-level timeline. Final confirmation that all vendors are patched and agree on a 02/27/2018 coordinated public disclosure.

2018-02-27

  • Coordinated public disclosure of issues identified occurs, including the DNG.

Credits/Contact

Duo Security would like to thank CERT/CC for their coordination related to the various security disclosure actions conducted during this process.

Technical questions regarding this issue should be sent to support@duosecurity.com and reference "DUO-PSA-2017-003" in the subject.

Other feedback regarding this issue can be sent to security@duosecurity.com.

]]>
<![CDATA[DUO-PSA-2017-002: Duo Product Security Advisory]]> https://duo.com/labs/psa/duo-psa-2017-002 https://duo.com/labs/psa/duo-psa-2017-002 Wed, 31 May 2017 00:00:00 -0400

Duo Product Security Advisory

Advisory ID: DUO-PSA-2017-002
Publication Date: 2017-05-31
Revision Date: 2017-05-31
Status: Confirmed, Fixed
Document Revision: 1

Overview

Duo Security has identified an issue in duo_unix, which, under certain uncommon configurations, could enable attackers to bypass second-factor user authentication. Duo has no evidence that this vulnerability has actively been exploited and we believe this specific configuration is extraordinarily uncommon.

This issue was resolved in version 1.9.21 of duo_unix. Customers using an affected configuration should update to the latest version as soon as possible (see "Solution" section below).

Description

Prior to version 1.9.21, duo_unix (which includes both login_duo and pam_duo), supported setting an HTTP proxy configuration through the standard 'http_proxy' environment variable. Under some uncommon configurations (examples listed below), however, it is possible for an untrusted user to set a value for the 'http_proxy' variable prior to initiating a Duo authentication attempt.

If an invalid proxy host (e.g. '0.0.0.0') is selected, then login_duo/pam_duo will ultimately fail to connect to Duo's API, and as a result, trigger the configured "failmode" behavior. If "failmode" is set to "safe" (which is the default), then this could result in a bypass of second-factor authentication.

Duo has identified two specific configuration scenarios in which an untrusted user may be able to control the value of the 'http_proxy' environment variable.

1. login_duo with nonstandard sshd "AcceptEnv" configurations:

OpenSSH can permit clients to forward environment variables to servers. By default, OpenSSH server distributions generally allow only a whitelisted set of variables (which does not include 'http_proxy') to be forwarded in this way. It is possible, however, for an administrator to configure a less-restrictive policy using the AcceptEnv keyword in sshd_config.

If a server has been configured with a non-default AcceptEnv policy that permits clients to send an 'http_proxy' environment variable, and is using login_duo to add Duo 2FA to ssh logins, then this configuration could result in a bypass of Duo 2FA.

This scenario only applies to login_duo; when used with OpenSSH, pam_duo is unaffected by this issue.

2. pam_duo with local authentication (e.g. su / sudo):

While pam_duo is not affected by this issue when used with OpenSSH, when pam_duo is being used to perform 2FA in other contexts - particularly, to authenticate system-local actions performed by untrusted users - it may be possible for untrusted users to control the value of the 'http_proxy' environment variable prior to initiating an authentication attempt.

In particular, Duo has confirmed that configurations which use pam_duo to add Duo 2FA to the "su" and "sudo" commands are impacted by this issue.

Version 1.9.21 of duo_unix has been released to resolve this issue. It removes support for configuring an HTTP Proxy via an environment variable.

Impact

Attackers may be able to bypass second-factor authentication on impacted configurations which accept attacker-controlled environment variables.

Affected Product(s)

All versions of duo_unix prior to 1.9.21 are impacted when used in one of the following configuration scenarios:

  • login_duo is performing 2FA for SSH logins, and sshd has been configured with a permissive (non-default) AcceptEnv policy
  • pam_duo is performing 2FA for scenarios other than SSH logins

Workaround

Customers using login_duo in an affected configuration may work around this issue by ensuring that their AcceptEnv configuration for sshd (e.g. in /etc/ssh/sshd_config) does not permit clients to send an 'http_proxy' variable.

Customers using pam_duo in an affected configuration must upgrade to the latest version of duo_unix.

Solution

Customers should upgrade to the latest version of the duo_unix client as discussed above. Clone the latest version from:

For more information on upgrading duo_unix, see https://duo.com/docs/duounix

Vulnerability Metrics

Vulnerability Class: CWE-454: External Initialization of Trusted Variables or Data Stores
Remotely Exploitable: No
Authentication Required: Partial
Severity: High
CVSSv2 Overall Score: 5.0
CVSSv2 Group Scores: Base: 6.0, Temporal: 5.0
CVSSv2 Vector: (AV:L/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C)

References

Timeline

2017-05-19

  • Duo privately receives report of a security vulnerability in Duo Unix
  • Duo acknowledges receipt of report and begins investigation

2017-05-22

  • Duo confirms vulnerability exists in related case to original report

2017-05-30

  • Duo completes development and testing of fixes

2017-05-31

  • Advisory released to all Duo customers using duo_unix

Credits/Contact

Technical questions regarding this issue should be sent to support@duosecurity.com and reference "DUO-PSA-2017-002" in the subject, or to your Customer Success Manager, if appropriate.

Duo Security would like to thank Fred Emmott for reporting this issue.

]]>
<![CDATA[DUO-PSA-2017-001: Duo Product Security Advisory]]> https://duo.com/labs/psa/duo-psa-2017-001 https://duo.com/labs/psa/duo-psa-2017-001 Tue, 14 Mar 2017 00:00:00 -0400

Duo Product Security Advisory

Advisory ID: DUO-PSA-2017-001
Publication Date: 2017-03-14
Revision Date: 2017-03-14
Status: Confirmed, Fixed
Document Revision: 1

Overview

Duo has identified and fixed an issue in our cloud service which, under certain configurations, could have enabled attackers who have separately compromised a user's primary credentials to add additional unauthorized second-factor authentication devices or modify previously-registered devices for that user. The issue only affects a subset of customers who have enabled the Self-Service and Device Management Portal on their applications.

Duo resolved this issue within 24 hours of the report by deploying a fix to our cloud service that correctly enforces authentication in all cases prior to accessing the options to add/remove/change authentication devices associated with a user account.

Duo has confirmed with certainty that there were no attacks against this vulnerability on or after 2016-11-16, and has found no evidence suggesting that this vulnerability was ever exploited prior to that date.

However, in the interest of transparency, we are sharing any activities performed through the Self-Service and Device Management Portal for which the possibility of an attack cannot be completely ruled out. If you have received this notification, Duo has flagged these activity patterns for your account. Again, there is no evidence that these are malicious activities, but you may choose to review these activities and/or take further actions, as described below.

Description

Duo's cloud service contains two optional features called the Self-Service Portal and the Device Management Portal which allow users to manage their own Duo accounts and enrolled authentication devices. On applications where either feature is enabled, an attacker who also had access to a user's primary credentials could have gained access to the portion of the portal where users can manage (add/change/remove) authentication devices by initiating - but not successfully completing - a second factor authentication, then crafting and loading a special URL.

Impact

Duo has found no evidence that this vulnerability was ever exploited. A thorough analysis of detailed operational logs has confirmed that there were no attacks against this vulnerability from 16-Nov-2016 until the vulnerability was patched on 10-Feb-2017. A further analysis of less-granular operational logs prior to 16-Nov-2016 affirms that the vast majority of Duo customers and users were never impacted.

In a successful attack, an adversary who had previously compromised a user's primary credentials may have been able to add authentication devices or modify previously-registered authentication devices for that user, ultimately leading to bypass of second-factor authentication.

For a small subset of Duo users and customers, we have identified activity patterns prior to 16-Nov-2016 that could be consistent with either legitimate user activity or exploitation of this vulnerability. There is not enough information in our logs to allow us to distinguish between these two cases. After manually reviewing these log patterns, we strongly believe they are, in all cases, the result of legitimate user activity (eg. adding, modifying, removing authentication devices) and represent false positives. Nonetheless, as we value transparency in security, we are presenting the complete list of the user activity to impacted customers so that they can determine for themselves whether to perform further review and/or take proactive action (eg. re-enroll those users).

Customers who directly received this notification can use the Duo Administrator Panel to find the list of user activities for review and potential follow-up action at https://admin.duosecurity.com/psa/DUO-PSA-2017-001.

Affected Product(s)

Affected configurations include any applications that enabled the Device Management / Self-Service Portal features with Duo's service.

Solution

A fix that correctly enforces authentication in the Self-Service Portal and Device Management Portal has been deployed to Duo's cloud service. No action is necessary for customers to resolve the issue.

Customers who directly received this notification can perform further review of user activity and/or take proactive action in Duo Administrator Panel at https://admin.duosecurity.com/psa/DUO-PSA-2017-001.

Vulnerability Metrics

Vulnerability Class: CWE-592: Authentication Bypass Issues
Remotely Exploitable: Yes
Authentication Required: Partial
Severity: High
CVSSv2 Overall Score: 6.5
CVSSv2 Group Scores: Base: 7.9, Temporal: 6.5
CVSSv2 Vector: (AV:N/AC:M/Au:S/C:C/I:C/A:N/E:F/RL:OF/RC:C)

References

Timeline

2017-02-09

  • Duo privately receives report of a security vulnerability in the Self-Service Portal and Device Management Portal
  • Duo acknowledges receipt of report and begins investigation
  • Duo confirms vulnerability exists
  • Duo begins development of a patch

2017-02-10

  • Duo confirms the vulnerability with the reporting party
  • Duo commits and tests a fix
  • Fix is deployed to all Duo cloud deployments, closing off the vulnerability for all customers
  • Duo begins retrospective evaluation for all possible indicators that the vulnerability might have been exploited

2017-02-14

  • Duo confirms via retrospective analysis that no attacks have occurred in previous 90 days, begins search back toward origin of vulnerability in March 2014

2017-02-22

  • Duo concludes retrospective evaluation for all possible indicators that the vulnerability might have been exploited
  • Duo begins developing functionality to allow customers to access information about flagged user activities and, if desired, disable logins and require re-enrollment for these users

2017-03-06

  • Duo completes development of remediation functionality, and begins testing/deployment

2017-03-13

  • Deployment of remediation functionality completed

2017-03-14

  • PSA distributed to potentially impacted customers

Credits/Contact

Technical questions regarding this issue should be sent to support@duosecurity.com and reference "DUO-PSA-2017-001" in the subject, or to your Customer Success Manager, if appropriate.

Duo Security would like to thank Brian W. Gray of Carnegie Mellon University for reporting this issue and the Carnegie Mellon Identity Services team for their assistance throughout.

]]>
<![CDATA[DUO-PSA-2016-002: Duo Product Security Advisory]]> https://duo.com/labs/psa/duo-psa-2016-002 https://duo.com/labs/psa/duo-psa-2016-002 Wed, 14 Dec 2016 00:00:00 -0500

Duo Product Security Advisory

Advisory ID: DUO-PSA-2016-002
Publication Date: 2016-12-14
Revision Date: 2016-12-21
Status: Confirmed, Fixed
Document Revision: 2

Overview

Duo Security has identified an issue in the Duo Authentication Proxy which, under certain uncommon configurations, could enable attackers to bypass second-factor user authentication. Duo has no evidence that this vulnerability has actively been exploited and we believe this specific configuration is extraordinarily uncommon.

This issue was resolved in version 2.4.18 of the Duo Authentication Proxy. Customers using an affected configuration (see "Solution" section below) should update to the latest version as soon as possible.

Description

The Duo Authentication Proxy performs second-factor authentication by communicating with the Duo Auth API. When performing second-factor authentication for a user using an out-of-band method (i.e. Duo Push or phone call), the Auth API does not return a response until the user has approved or rejected the authentication attempt, or Duo's cloud service considers the authentication attempt "expired". By default, the Authentication Proxy does not itself enforce any timeout on these API calls; Duo's cloud service will generally consider all authentication attempts "expired" after not more than 60 seconds.

However, the Authentication Proxy offers an advanced configuration option called "api_timeout", which places an upper-bound on the number of seconds to wait for a response from the Auth API. If this timeout was reached before the Auth API has returned a result, this would trigger the Authentication Proxy's configured "failmode". If "failmode" was set to "safe" (which is the default), then this could result in a bypass of second-factor authentication.

As of version 2.4.18, the Authentication Proxy will no longer trigger "fail-safe" behavior if an out-of-band authentication attempt prematurely times out.

Impact

Attackers may be able to bypass second-factor authentication only on systems that authenticate users via affected configurations of the Duo Authentication Proxy.

Affected Product(s)

Take the following steps to determine whether your configuration may be affected:

1. Open your authproxy.cfg file.

  • Windows: C:\Program Files (x86)\Duo Security Authentication Proxy\conf\authproxy.cfg
  • Linux: /opt/duoauthproxy/conf/authproxy.cfg

2. Search for "api_timeout". If this value is present, you must remove it, or upgrade your Duo Authentication Proxy to version 2.4.18 or later.

For more information on this process, please see our knowledge base for details on how to verify whether you're affected: https://kb.duo.com/s/article/3341

Workaround

Customers using an affected configuration may work around this issue by removing all instances of "api_timeout" from authproxy.cfg, and restarting the Authentication Proxy.

Solution

Customers using an affected configuration should upgrade to the latest version of the Duo Authentication Proxy as discussed above. Download the latest version from:

For more information on upgrading the Authentication Proxy, see https://duo.com/docs/authproxy_reference#upgrading-the-proxy

Vulnerability Metrics

Vulnerability Class: CWE-636: Not Failing Securely ('Failing Open')
Remotely Exploitable: Yes
Authentication Required: Partial
Severity: High
CVSSv2 Overall Score: 6.2
CVSSv2 Group Scores: Base: 7.9, Temporal: 6.2
CVSSv2 Vector: (AV:N/AC:M/Au:S/C/C/I:C/A:N/E:POC/RL:OF/RC:C)

References

Timeline

2016-12-08

  • Duo privately receives report of a security vulnerability in the Authentication Proxy
  • Duo acknowledges receipt of report and begins investigation
  • Duo confirms vulnerability exists

2016-12-09

  • Engineers at Duo begin investigating potential fixes

2016-12-13

  • Duo completes development and testing of fixes

2016-12-14

  • Advisory released to paid Duo customers with potentially affected applications

2016-12-21

  • Advisory published and released to free Duo customers with potentially affected applications

Credits/Contact

Technical questions regarding this issue should be sent to support@duosecurity.com and reference "DUO-PSA-2016-002" in the subject, or to your Customer Success Manager, if appropriate.

Duo Security would like to thank Leo Pereira of Invitae for reporting this issue.

]]>
<![CDATA[DUO-PSA-2016-001: Duo Product Security Advisory]]> https://duo.com/labs/psa/duo-psa-2016-001 https://duo.com/labs/psa/duo-psa-2016-001 Wed, 11 May 2016 00:00:00 -0400

Duo Product Security Advisory

Advisory ID: DUO-PSA-2016-001
Original Publication Date: 2016-05-11
Revision Date: 2016-05-23
Status: Confirmed, Fixed
Document Revision: 3

Overview

Duo Security has identified multiple issues in the Duo Authentication Proxy which, under certain configurations, could enable attackers to partially or fully bypass user authentication. Duo has no evidence that these vulnerabilities have actively been exploited.

These issues have been resolved in version 2.4.17 of the Duo Authentication Proxy. Customers using an affected configuration (see "Solution" section below) should update to this version as soon as possible.

Description

Two authentication bypass issues have been identified in certain Authentication Proxy configurations. Duo believes that these configurations are relatively uncommon; however, we strongly recommend that all customers using an affected configuration update the Authentication Proxy.

LDAP Client:

If a Duo Authentication Proxy is configured to use an LDAP directory (Active Directory, OpenLDAP, etc.) for primary authentication, an attacker may in certain cases cause the Authentication Proxy to erroneously attempt to perform user authentication with an "unauthenticated BIND". Some LDAP implementations (e.g. Active Directory) unconditionally permit unauthenticated BIND operations. As a result, if an attacker can trigger this scenario - by sending an empty password - he will be able to partially or fully bypass authentication.

In particular, when the Authentication Proxy is configured as an LDAP-to-LDAP proxy, and set up to allow users to concatenate passwords with Duo passcodes (e.g. by typing ",123456"), an attacker may fully bypass authentication by logging in with a blank password (e.g. ",123456").

Otherwise, when the Authentication Proxy is configured as a RADIUS-to-LDAP proxy, and configured to use "plain" authentication, then an attacker may be able to bypass primary authentication (but not Duo) by logging in with a blank password.

RADIUS PEAPv1/GTC Server:

An issue has been found in the Authentication Proxy's implementation of RADIUS PEAPv1/GTC authentication, which is primarily used to support NetMotion Wireless integrations. In cases where users are otherwise not required to complete Duo authentication, the Authentication Proxy does not properly validate the results of primary authentication. This may occur, for example, if the associated application in Duo is configured with a "new user policy" of "Allow Access", or if the Authentication Proxy is configured with a failmode of "safe" and cannot communicate with Duo's service. Additionally, for a new user policy of "Require Enrollment", users unrecognized by Duo may be permitted to enroll (but not login) without successfully completing primary authentication.

Impact

Attackers may be able to partially or fully bypass authentication on systems that authenticate users via affected configurations of the Duo Authentication Proxy.

Affected Product(s)

Take the following steps to determine whether your configuration may be affected:

1. Open your authproxy.cfg file.

  • Windows: C:\Program Files (x86)\Duo Security Authentication Proxy\conf\authproxy.cfg
  • Linux: /opt/duoauthproxy/conf/authproxy.cfg

2. Check for the following fields:

  • If you have a section marked [ldap_server_auto], you must upgrade your Duo Authentication Proxy to version 2.4.16 or later.
  • If you have a section marked [ad_client], check to see if you have the following value beneath it: auth_type=plain. If you have this value, you must upgrade your Duo Authentication Proxy to version 2.4.16 or later.
  • If you have a section marked [radius_server_eap], you must upgrade your Duo Authentication Proxy to version 2.4.17 or later.

For more information on this process, please see our knowledge base for details on how to verify whether you're affected: https://kb.duo.com/s/article/2934

Solution

Customers using an affected configuration should upgrade to the latest version of the Duo Authentication Proxy as discussed above. Download the latest version from:

For more information on upgrading the Authentication Proxy, see https://duo.com/docs/authproxy_reference#upgrading-the-proxy

Vulnerability Metrics

LDAP Client:

Vulnerability Class: CWE-230: Improper Handling of Missing Values
Remotely Exploitable: Yes
Authentication Required: No
Severity: Critical
CVSSv2 Overall Score: 6.9
CVSSv2 Group Scores: Base: 8.8, Temporal: 6.9
CVSSv2 Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:N/E:POC/RL:OF/RC:C)

RADIUS PEAPv1/GTC Server:

Vulnerability Class: CWE-391: Unchecked Error Condition
Remotely Exploitable: Yes
Authentication Required: No
Severity: High
CVSSv2 Overall Score: 4.5
CVSSv2 Group Scores: Base: 5.8, Temporal: 4.5
CVSSv2 Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C)

References

Timeline

2016-05-05

  • Duo privately receives report of a security vulnerability in the Authentication Proxy
  • Duo acknowledges receipt of report and begins investigation

2016-05-09

  • Engineers at Duo confirm the issue and begin investigating potential fixes

2016-05-10

  • Duo completes development and testing of fixes

2016-05-11

  • Advisory released to paid Duo customers

2016-05-11

  • Duo privately receives report of an additional authentication bypass issue in the Authentication Proxy
  • Duo acknowledges receipt of additional report and begins investigation

2016-05-12

  • Engineers at Duo confirm the second report and begin investigating potential fixes

2016-05-13

  • Duo completes development and testing of new fixes

2016-05-16

  • Advisory revised and re-released to paid Duo customers

2016-05-23

  • Advisory released to non-paid Duo customers

Credits/Contact

Technical questions regarding this issue should be sent to support+ap@duosecurity.com and reference "DUO-PSA-2016-001" in the subject, or to your Customer Success Manager, if appropriate.

Duo Security would like to thank Ashley Bartlett of the Atlassian Workplace Technology team for reporting the LDAP issue. Duo Security would like to thank Tom Weston at Teneo for reporting the RADIUS PEAPv1/GTC issue.

]]>
<![CDATA[DUO-PSA-2015-003: Duo Product Security Advisory]]> https://duo.com/labs/psa/duo-psa-2015-003 https://duo.com/labs/psa/duo-psa-2015-003 Thu, 06 Aug 2015 00:00:00 -0400

Duo Product Security Advisory

Advisory ID: DUO-PSA-2015-003
Original Publication Date: 2015-08-06
Revision Date: 2015-08-10
Status: Confirmed, Fixed
Document Revision: 2

Overview

Duo Security has identified an issue which, under certain configurations, could have enabled attackers to bypass second-factor authentication.

Note: this issue has been resolved through a patch to Duo's backend service; most Duo customers need not take any action. Duo has determined that only a very small number of customers may have been affected by this issue, and has separately contacted those customers with additional remediation steps.

Description

When interacting with Duo-protected applications using Duo's Web SDK, Duo's two-factor authentication system did not strip leading whitespace from usernames. As a result, a username (e.g. "alice") was treated as distinct from the same username with whitespace in front of it (e.g. "[space]alice"). It would have been possible for an attacker to exploit this behavior to bypass second-factor authentication if:

  • An application using Duo's Web SDK stripped (or ignored) leading whitespace in usernames for primary authentication, but sent usernames with leading whitespace to Duo's service; and
  • The "New User Policy" for the application was set to "Require Enrollment" or "Allow Access"

For example, if an attacker had gained knowledge of the password for user "alice", then he could instead login as "[space]alice". Then, after completing primary authentication, he would either receive a prompt from Duo to enroll as a new user, or be permitted 2FA entirely (given "Require Enrollment" and "Allow Access" policies, respectively). In either case, he would bypass the existing 2FA setup for "alice".

Impact

Attackers who gained knowledge of a user's primary credentials may have been able to bypass second-factor authentication for certain applications using the Web SDK.

Affected Product(s)

The issue affected Duo's 2-factor authentication service; however, only the following types of applications have met the necessary conditions (described above) to trigger it:

  • Duo's Shibboleth integration
  • Unicon's CAS integration
  • Customer-developed applications using the Duo Web SDK

Solution

The issue has been resolved through a patch to Duo's backend service; Duo now trims whitespace from usernames before performing any lookups. Customers do not need to apply any software updates.

Duo has identified a very small group of customers who may have been affected by this issue, and has separately contacted them with additional remediation steps.

Vulnerability Metrics

Vulnerability Class: CWE-156: Improper Neutralization of Whitespace
Remotely Exploitable: Yes
Authentication Required: Partial
Severity: Medium
CVSSv2 Overall Score: 5.5
CVSSv2 Group Scores: Base: 4.9, Temporal: 4.3, Environmental: 5.5
CVSSv2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:OF/RC:C/CDP:ND/TD:ND/CR:H/IR:H/AR:ND

References

Timeline

2015-08-04

  • Customer reports that adding whitespace to usernames when using the Unicon CAS integration can result in a 2FA bypass

2015-08-05

  • Engineers at Duo confirm the issue
  • Duo develops a fix and applies it across Duo's production infrastructure

2015-08-06

  • Duo drafts and publishes advisory

2015-08-10

  • Advisory updated to reflect that all affected customers have now been contacted

Credits/Contact

Duo Security would like to thank University of Nebraska-Lincoln for reporting this issue.

Technical questions regarding this issue should be sent to support@duosecurity.com and reference "DUO-PSA-2015-003" in the subject.

Other feedback regarding this issue can be sent to security@duosecurity.com.

]]>
<![CDATA[DUO-PSA-2015-002: Duo Product Security Advisory]]> https://duo.com/labs/psa/duo-psa-2015-002 https://duo.com/labs/psa/duo-psa-2015-002 Mon, 06 Apr 2015 00:00:00 -0400

Duo Product Security Advisory

Advisory ID: DUO-PSA-2015-002
Original Publication Date: 2015-04-06
Revision Date: 2015-04-13
Status: Confirmed, Fixed
Document Revision: 2

Overview

Duo Security has identified an issue in recent versions of Duo Mobile for iOS that could allow attackers to perform a successful Man-in-the-Middle (MITM) attack against the app's TLS connections, if they can otherwise manipulate the network traffic exchanged between the mobile app and Duo's cloud service.

This issue has been fixed in Duo Mobile 3.7.1; all iOS users should update as soon as possible.

Description

On the iOS platform, Duo Mobile leverages AFNetworking - a widely-used third-party HTTP client library - to communicate with Duo's cloud service. Recently, it was determined that AFNetworking did not validate digital certificates against server hostnames by default. As a result, Duo Mobile would e.g. consider a digital certificate for "www.example.com" as valid for "api-XXXXXXXX.duosecurity.com" when establishing a TLS tunnel.

This behavior makes it possible for an attacker to perform a successful Man-in-the-Middle (MITM) attack against TLS connections from affected versions of Duo Mobile, if he can otherwise manipulate the network traffic exchanged between the mobile app and Duo's cloud service. This might be a risk, for example, when using Duo Mobile while connected to untrusted wi-fi networks.

However, in addition to TLS, Duo Mobile uses application-level signatures to ensure the integrity and authenticity of requests sent from Duo Mobile to Duo's service. Becauses of this mechanism, a MITM attack would still not generally allow an attacker to e.g. approve a fraudulent Duo Push authentication request.

Note: A different vulnerability was introduced into AFNetworking in version 2.5.1, and recently gained widespread attention. Duo Mobile currently uses AFNetworking version 2.3.1, and was therefore not affected by that particular vulnerability. This is a separate - if very similar - issue.

Impact

An attacker can perform a successful Man-in-the-Middle (MITM) attack against Duo Mobile's TLS connections if he can otherwise manipulate the network traffic exchanged between the mobile app and Duo's cloud service. Duo's application-level signing mechanism still generally prevents the attacker from e.g. approving fraudulent Duo Push authentication requests. However, there are some limitations to this technique:

  • Duo Mobile cannot use application-level signatures when setting up a new account, because - at this point - the app has not yet negotiated a key-pair with Duo's service. If an attacker intercepted traffic from Duo Mobile during this process, he could gain the ability to generate valid one-time passcodes and exert full control over subsequent Duo Push authentication requests intended for the targeted device.
  • Requests from Duo Mobile to Duo's service have application-level signatures, but responses from the service do not. It may therefore be feasible for an attacker to manipulate details of a fraudulent authentication request such that it appears legitimate, thereby tricking a user into approving it.

Affected Product(s)

  • Duo Mobile for iOS, versions 3.4 - 3.7

Solution

Duo Mobile 3.7.1 was published to the iTunes App Store on April 6, 2015. This version ensures that certificate domain-name validation is performed for all TLS connections.

Users should upgrade to this version immediately to prevent the issues described above. Note that administrators can audit their users' Duo Mobile app versions in the "phones" section of the Duo administrative interface.

As noted above, there is a small risk that users' Duo Mobile credentials could be compromised, if an attacker captured network traffic from Duo Mobile during account setup. After users have upgraded, administrators may choose to forcibly invalidate any existing credentials by re-activating users' Duo Mobile accounts in the administrative interface.

Vulnerability Metrics

Vulnerability Class: Improper Certificate Validation (CWE-295)
Remotely Exploitable: Yes
Authentication Required: No
Severity: High
CVSSv2 Overall Score: 5.8
CVSSv2 Group Scores: Base: 6.8, Temporal: 5.9, Environmental: 5.8
CVSSv2 Vector: AV:A/AC:L/Au:N/C:C/I:P/A:N/E:H/RL:OF/RC:C/CDP:MH/TD:M/CR:M/IR:H/AR:M

References

Timeline

2015-04-02

  • Engineers at Duo internally discover that Duo Mobile for iOS does not correctly validate server certificates.
  • Duo develops a fix and submits an updated Duo Mobile 3.7.1 to the iTunes App Store.

2015-04-03

  • Duo Mobile for iOS version 3.7.1 is approved by Apple

2015-04-06

  • Duo completes testing on Duo Mobile for iOS 3.7.1 and releases it to end users.
  • Duo drafts advisory and shares it with affected Enterprise and Business customers.

2015-04-13

  • Duo updates advisory and shares it with all remaining customers.

Credits/Contact

Technical questions regarding this issue should be sent to support@duosecurity.com and reference "DUO-PSA-2015-002" in the subject.

Other feedback regarding this issue can be sent to security@duosecurity.com.

]]>
<![CDATA[DUO-PSA-2015-001: Duo Product Security Advisory]]> https://duo.com/labs/psa/duo-psa-2015-001 https://duo.com/labs/psa/duo-psa-2015-001 Tue, 03 Feb 2015 00:00:00 -0500

Duo Product Security Advisory

Advisory ID: DUO-PSA-2015-001
Original Publication Date: 2015-02-03
Revision Date: 2015-02-10
Status: Confirmed, Fixed
Document Revision: 3

Overview

Duo Security has identified an issue in certain versions of the Duo Web SDK that could allow attackers to bypass primary and secondary authentication if they have separately gained access to the Duo integration's secret key, and can create valid usernames containing pipe characters ('|').

Note: This issue does not affect any Duo-authored integrations; it only affects custom integrations developed using affected versions of the Web SDK.

Description

Duo's Web SDK requires two secret values: the integration secret key (SKEY) and an application secret key (AKEY). The SKEY is shared between Duo and the application incorporating the Web SDK integration, while the AKEY must be known only to the application.

Both of these values must be kept confidential. In the unlikely event that attackers could gain access to the SKEY, he could use it to bypass secondary authentication. However, the Duo Web SDK incorporates an additional mechanism, using the AKEY, to ensure that attackers would only be able to use the SKEY to bypass secondary authentication; i.e. they would still need access to a target user's primary credentials (or to the AKEY itself) to log in.

Recently, Duo Security became aware of an issue in which certain versions of the Web SDK perform insufficiently-strict validation of responses from Duo's service. This issue could allow attackers to bypass this AKEY-based protection in an application using an affected version of the Web SDK, if they have separately gained access to the integration's confidential SKEY and can also create a valid user account with a username containing pipe characters ('|').

Impact

With affected versions of the Duo Web SDK, attackers may be able to bypass primary and secondary authentication if they can both:

  • Gain separate access to the Web SDK integration's confidential SKEY
  • Create a valid username containing pipe characters ('|')

The Web SDK's design relies on the SKEY being kept confidential; this issue can only be exploited in cases where a core security requirement has already been violated. As such, Duo Security considers the overall severity of this issue to be low.

Affected Product(s)

Duo Web SDKs for:

  • Ruby
  • Java
  • Perl
  • PHP
  • ColdFusion

The Web SDKs for Python, ASP Classic, ASP.NET, and NodeJS were not affected.

In addition, while Duo provides some integrations that incorporate affected versions of the Web SDK (for Confluence, Jira, Shibboleth, MediaWiki, Wordpress, and Drupal), we have determined that none of these integrations are affected by this issue.

Solution

For customers using custom integrations developed with affected versions of the Web SDK: update to the latest Web SDK.

All affected versions of the Web SDK have been patched to strictly validate responses, and reject usernames that contain pipe characters. The latest versions of the Web SDK can be found at:

Workaround

Applications may mitigate this issue (without updating the Web SDK) if they either:

  • Do not allow usernames that contain pipe characters, or
  • Use some alternate means (e.g. session state) to store the username of a user upon successful primary authentication, and then verify that the Duo-returned username (from 'verify_response()') exactly matches the previously-stored value.

Vulnerability Metrics

Vulnerability Class: Improper Handling of Extra Parameters (CWE-235)
Remotely Exploitable: Yes
Authentication Required: No
Severity: Low
CVSSv2 Overall Score: 4.5
CVSSv2 Group Scores: Base: 4, Temporal: 3.3, Environmental: 4.5
CVSSv2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C/CDP:ND/TD:ND/CR:H/IR:H/AR:H

References

Timeline

2015-01-21

  • Researchers from Sakurity report a possible issue in the Duo Web SDK for Ruby
  • Duo acknowledges receipt of the report; begins investigation
  • Duo confirms the issue in the Duo Web SDK for Ruby

2015-01-22

  • Duo determines that the Web SDKs for PHP, Perl, Java, and ColdFusion are also affected
  • Duo confirms that all other versions of the Web SDK, and all other Duo integrations, are unaffected

2015-01-27

  • Duo develops patches for all affected versions of the Web SDK

2015-02-03

  • Duo updates all affected versions of the Web SDK
  • Duo drafts advisory and shares it with affected Enterprise and Business customers

2015-02-10

  • Duo updates advisory and shares it with affected Personal customers

Credits/Contact

Duo Security would like to thank the team at Sakurity for discovering and reporting this issue.

Technical questions regarding this issue should be sent to support@duosecurity.com and reference "DUO-PSA-2015-001" in the subject.

Other feedback regarding this issue can be sent to security@duosecurity.com.

]]>
<![CDATA[DUO-PSA-2014-008: Duo Product Security Advisory]]> https://duo.com/labs/psa/duo-psa-2014-008 https://duo.com/labs/psa/duo-psa-2014-008 Mon, 22 Dec 2014 00:00:00 -0500

Duo Product Security Advisory

Advisory ID: DUO-PSA-2014-008
Publication Date: 2014-12-22
Status: Confirmed, Fixed
Document Revision: 2

Overview

Duo Security has identified an issue in the iOS Duo Mobile app that may allow credentials to be backed up in an encrypted form to a user's local machine via iTunes.

Description

The Duo Mobile application takes special steps to harden its credential storage on each respective mobile platform. On iOS, Duo Mobile leverages the Keychain service, a platform-provided framework for securely storing Duo user credentials (eg. the private key for Duo Push).

The Keychain service also offers security attributes that can provide additional hardening. In particular, it allows a restriction to be set that Keychain items backed up using iTunes to a local machine via USB must only be restored to the same device. In other words, the encrypted backup is tied to a device-specific key and therefore cannot be restored to a different iOS device.

While this special Keychain attribute requires that a user must reactivate their Duo account upon purchasing a new iOS device (either via an administrator or the user self-service portal), we deemed it a useful hardening measure for Duo Mobile credentials.

However, we recently discovered a regression in Duo Mobile, where that security attribute was not properly being applied to Keychain items containing Duo user credentials, starting with Duo Mobile 3.0.

Impact

As the intended Keychain security attribute was not being applied to credentials stored with Duo Mobile, user-initiated encrypted backups of their iOS device using iTunes to a local machine via USB may contain the user's Duo credentials.

Note: Unencrypted iTunes backups, iCloud backups, and the iCloud Keychain are unaffected and will not contain any Duo Mobile credentials.

If an attacker was able to obtain the encrypted iTunes backup from the user's local machine AND capture the password used to encrypt it, they may be able to restore that backup on a different iOS of their choosing and use Duo Mobile to forge second factor authentication attempts to Duo's service.

Affected Product(s)

  • Duo Mobile for iOS >= 3.0 and < 3.5.1.

Solution

Duo Mobile for iOS 3.5.1 was published to the iTunes App Store on December 16th, 2014. This version fixes the issue by creating Keychain items with the correct security attribute (kSecAttrAccessibleWhenUnlockedThisDeviceOnly).

In addition, upon upgrading to the new 3.5.1 version, the app will update all existing items in the Keychain with the correct accessibility attribute.

Users should upgrade to this version through the iTunes App Store to prevent any potential exposure of Duo Mobile credentials in their device backups.

Workaround

There is no complete workaround for this issue. However, users can delete any existing encrypted device backups and avoid performing any new backups until they have updated to Duo Mobile 3.5.1.

Alternately, an administrator can re-activate a user's Duo Mobile account in the administrative interface to force the invalidation of any backed up credentials. Please note that existing Duo Mobile credentials will not be invalidated until users complete the re-activation process (i.e. open a new activation link in Duo Mobile).

Vulnerability Metrics

Vulnerability Class: Improper Cross-boundary Removal of Sensitive Data (CWE-212)
Remotely Exploitable: No
Authentication Required: Yes
Severity: Low
CVSSv2 Overall Score: 2.8
CVSSv2 Group Scores: Base: 4.4, Temporal: 3.8, Environmental: 2.8
CVSSv2 Vector: (AV:L/AC:M/Au:S/C:C/I:N/A:N/E:H/RL:OF/RC:C/CDP:ND/TD:M/CR:M/IR:M/AR:L)

References

Timeline

2014-12-02

  • A Duo customer reports unexpected behavior of their accounts being restored successfully to a new iOS device.
  • Duo acknowledges receipt of report; begins investigation.

2014-12-04

  • Additional communication with the customer to confirm the reported issue.

2014-12-08

  • Duo confirms the issue in the iOS version of Duo Mobile and begins implementing a fix.

2014-12-10

  • Duo completes the fix and submits an updated Duo Mobile 3.5.1 to the iTunes App Store.

2014-12-16

  • Duo Mobile 3.5.1 is approved by Apple and is released to end users.

2014-12-22

  • Duo shares advisory with affected Enterprise customers.

2015-01-12

  • Advisory is updated to clarify re-activation procedure.
  • Duo shares advisory with affected Business customers.

Credits/Contact

Duo would like to thank the customer who reported this issue to us.

If you require the assistance of our support team regarding this issue, please contact support@duosecurity.com and reference "DUO-PSA-2014-008" in the subject.

]]>
<![CDATA[DUO-PSA-2014-007: Duo Product Security Advisory]]> https://duo.com/labs/psa/duo-psa-2014-007 https://duo.com/labs/psa/duo-psa-2014-007 Wed, 15 Oct 2014 00:00:00 -0400

Duo Product Security Advisory

Advisory ID: DUO-PSA-2014-007
Publication Date: 2014-10-15
Status: Confirmed, Fixed
Document Revision: 1

Overview

Duo Security has identified an issue that may allow local users to bypass second factor authentication when using the pam_duo component of duo_unix in conjunction with specific versions of sudo.

Description

Code changes made in version 1.8.7 of sudo altered functionality that ultimately resulted in a bug in authentication handling. Because of this change, pam_duo-enabled sudo deployments were subject to have the second factor of authentication bypassed on systems running sudo versions 1.8.7 through 1.8.11 when pam_duo's failmode was configured as 'safe'. This sudo bug was fixed in 1.8.11p1 and the resulting bypass condition has been resolved.

If pam_duo was not used for sudo or pam_duo's failmode was configured as 'secure', this issue will not impact your environment. Further, existing sudo privileges have to be given to users in order for them to benefit from this authentication bypass. Lastly, users are still required to authenticate with their primary credential (likely a password) before being able to execute any authorized sudo commands.

Impact

Users that have existing sudo privilege may be able to skip having to authenticate via their second factor of authentication for sudo command execution. This could allow an attacker who already has access on the system to run authorized sudo commands with only having to type the user's password and not actually authenticating with Duo Security's service.

Affected Product(s)

Your Duo deployment is affected only if all of the following are true:

  • Using duo_unix <= 1.9.12;
  • Using pam_duo to protect the sudo service; and
  • Using sudo >= 1.8.7 and < 1.8.11p1.

Users of following operating systems are likely using an impacted version of sudo:

  • Ubuntu 14.04 (Trusty)
  • OpenSuSE 13.1
  • Fedora 20
  • FreeBSD 9.2 and 10.0
  • Arch Linux 2013-07-01 to 2014-09-25
  • Mageia 4
  • Linux Mint 17 (Qiana)

Solution

For customers running duo_unix 1.9.12 or earlier, upgrade to version 1.9.13. See https://www.duosecurity.com/docs/duounix for installation instructions, and a link to download the latest version of the integration.

Workaround

If your duo_unix integration is unable to be upgraded immediately, each of the following individual workarounds should mitigate the risk of this sudo bug impacting pam_duo:

  • Upgrade sudo to version 1.8.11p1 or later.
  • Configure pam_duo's failmode to be 'secure'.
  • Fully disable sudo access for users.

Vulnerability Metrics

Vulnerability Class: Authentication Bypass Issues (CWE-592)
Remotely Exploitable: No
Authentication Required: Yes
Severity: Medium
CVSSv2 Overall Score: 3.7
CVSSv2 Group Scores: Base: 3, Temporal: 2.6, Environmental: 3.7
CVSSv2 Vector: (AV:L/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:OF/RC:C/CDP:ND/TD:ND/CR:H/IR:H/AR:ND)

References

Timeline

2014-10-08

  • Jason Strange from Techno Wizardry reports a possible 2FA bypass with pam_duo
  • Duo acknowledges receipt of report and begins investigation

2014-10-09

  • Duo finds that the underlying bypass issue was created through a now resolved bug in sudo
  • Duo informs Jason Strange of the underlying issue and confirms expected behavior with him

2014-10-10

  • Duo evaluates impacted versions of sudo and related packages for stable OS distributions
  • Duo commits a code fix to our public duo_unix source tree to workaround sudo's bug

2014-10-13

  • Duo releases duo_unix 1.9.13 containing a fix for impacted versions of sudo using pam_duo

2014-10-15

  • Duo drafts advisory and shares it with affected customers

Credits/Contact

Duo Security would like to thank Jason Strange of Techno Wizardry for alerting us to the behavior which led us to find this issue.

Feedback regarding this issue should be sent to support@duosecurity.com and reference "DUO-PSA-2014-007" in the subject.

]]>
<![CDATA[DUO-PSA-2014-006: Duo Product Security Advisory]]> https://duo.com/labs/psa/duo-psa-2014-006 https://duo.com/labs/psa/duo-psa-2014-006 Thu, 09 Oct 2014 00:00:00 -0400

Duo Product Security Advisory

Advisory ID: DUO-PSA-2014-006
Publication Date: 2014-10-09
Revision Date: 2014-10-16
Status: Confirmed, Fixed
Document Revision: 2

Overview

Duo Security has identified an issue in which it may be possible for users to perform certain actions without completing two-factor authentication on systems which use the Duo OWA integration (prior to version 1.1.6).

Description

Starting with Exchange Server 2010, deployments of Outlook Web App (OWA) consist of two different user-facing web applications: OWA itself, and the Exchange Control Panel (ECP, also known as the "Exchange Admin Center" in Exchange Server 2013). In a typical deployment, with the Exchange Client Access Server role deployed to a server named mail.example.com, users log into OWA by visiting https://mail.example.com/owa, and users can access ECP at https://mail.example.com/ecp.

For unprivileged users, ECP provides self-service access to a variety of email and account settings; users typically can, for example:

  • Add, edit, or remove mail filters
  • Change their passwords
  • Set up auto-reply actions

Administrators can additionally use ECP to manage the Exchange deployment. In Exchange Server 2013, in particular, the "Exchange Admin Center" is the primary administrative UI for Exchange.

Prior to version 1.1.6, Duo's OWA integration only added two-factor protection to the OWA application, not the ECP application. Users visiting any URL beginning with https://mail.example.com/owa would be required to complete Duo authentication, but users visiting a URL beginning with https://mail.example.com/ecp would only need to complete primary authentication (e.g. enter a username and password).

(Note that, by design, Duo's OWA integration does not interfere with thick-client access to mail through components like Outlook Anywhere, ActiveSync, or Exchange Web Services. We recommend that customers configure their Exchange deployments accordingly, e.g. by blocking internet-facing access to these services if appropriate.)

Impact

Users with valid primary authentication credentials (username and password) can log into the Exchange Control Panel (or Exchange Admin Center) without completing secondary authentication. Regular users can use ECP to edit personal settings - for example, change their passwords and edit mail filter rules. Administrators can additionally use ECP to perform a wide range of administrative actions on the Exchange deployment.

Affected Product(s)

  • Duo Security OWA Integration 1.1.5 and earlier, when used with Exchange Server 2010 or 2013. (Exchange Server 2007 is unaffected.)

Solution

  • For customers running Exchange Server 2010 or 2013: Install the Duo Security OWA Integration version 1.1.7 (or later) on your Exchange Client Access Server instance(s). See https://www.duosecurity.com/docs/owa for installation instructions, and a link to download the latest version of the integration.
  • For customers running Exchange Server 2007: No action is required.

Workaround

There is no complete workaround for this issue. However, in some cases, the following options may help mitigate its impact:

  • Customers may disable administrative features in ECP (particularly on internet-facing Client Access Server instances) as documented on http://technet.microsoft.com/en-us/library/jj218639(v=exchg.150).aspx.
  • If user access to internet-facing Client Access Server deployments is mediated through a reverse-proxy or web filter, it may be possible to block access to all ECP URL paths (i.e. those beginning with /ecp). However, this will interfere with users' ability to access their mail settings.

Vulnerability Metrics

Vulnerability Class: Use of Single-factor Authentication (CWE-308)
Remotely Exploitable: Yes
Authentication Required: Yes
Severity: Medium
CVSSv2 Overall Score: 5.1
CVSSv2 Group Scores: Base: 4.9, Temporal: 4.3, Environmental: 5.5
CVSSv2 Vector: (AV:N/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:OF/RC:ND/CDP:ND/TD:ND/CR:H/IR:H/AR:H)

References

Timeline

2014-07-24

  • Researchers from FireID Security report possible 2FA bypass in OWA integration
  • Duo acknowledges receipt of report; begins investigation

2014-08-12

  • Duo confirms the issue and begins implementing a fix

2014-08-27

  • Duo updates OWA integration to 1.1.6, adding 2-factor authentication to ECP

2014-08-29

  • Duo receives reports that the 1.1.6 update interferes with thick-client access to Exchange Server (e.g. Outlook Anywhere, ActiveSync, and EWS)

2014-09-04

  • Duo confirms the bug in version 1.1.6, and begins work on a fix

2014-09-11

  • Duo updates OWA integration to version 1.1.7, with a fix to allow Outlook Anywhere, ActiveSync, and EWS traffic while requiring 2-factor authentication for OWA and ECP

2014-10-09

  • Duo drafts advisory and shares it with affected Enterprise customers

2014-10-16

  • Duo shares advisory with affected Business and Personal customers

Credits/Contact

Duo Security would like to thank Kobus Botha and Konrad Blum of FireID Security for discovering and reporting this issue.

Feedback regarding this issue should be sent to support@duosecurity.com and reference "DUO-PSA-2014-006" in the subject.

]]>
<![CDATA[DUO-PSA-2014-005: Duo Product Security Advisory]]> https://duo.com/labs/psa/duo-psa-2014-005 https://duo.com/labs/psa/duo-psa-2014-005 Mon, 12 May 2014 00:00:00 -0400

Duo Product Security Advisory

Advisory ID: DUO-PSA-2014-005
Publication Date: 2014-05-12
Revision Date: 2014-05-27
Status: Confirmed, Fixed
Document Revision: 3

Overview

Duo Security has identified an issue in its Credential-Provider based Remote Desktop Protocol (RDP) integrations (e.g. those installed on Windows versions from Vista / Server 2008) which may allow a user with an expired password to - upon completing primary and secondary authentication - switch to another user account using that account's primary credentials, skipping secondary authentication for that account.

Description

The RDP integration works to add two-factor authentication to Windows logins, both Remote Desktop and (optionally) the local console. When a user has provided valid credentials (username and password), the integration presents a second-factor authentication dialog for the provided username. Under normal operation, when the second-factor authentication is successful, the user is logged on.

However, if the user's password has expired, then rather than logging the user in, the system will instead present a prompt requesting a password change. At this prompt, the user may type in a new (different) username and corresponding password - and if these credentials are valid, the user can proceed to log in with (and reset the password for) the new username without any corresponding second-factor authentication challenge for the new username.

Impact

A valid user (with a valid username/password and secondary authenticator) may, if his/her password expires, be able to login to another user account using only that account's username/password - i.e. without secondary authentication - after completing primary and secondary authentication for his/her own account.

Affected Product(s)

  • Duo RDP Integration (Credential-Provider based) versions 1.0.7 through 1.1.4, running on Windows Vista, Server 2008, and newer.

Solution

Install the latest version of the Duo Security RDP Integration (currently, version 1.1.7) on your host. The latest version can be downloaded at https://dl.duosecurity.com/duo-win-login-latest.exe

Vulnerability Metrics

Vulnerability Class: Privilege Context Switching Error (CWE-270)
Remotely Exploitable: No
Authentication Required: Yes
Severity: Medium
CVSSv2 Overall Score: 5.1
CVSSv2 Group Scores: Base: 5.3, Temporal: 4.6, Environmental: 5.1
CVSSv2 Vector: (AV:L/AC:H/Au:M/C:C/I:C/A:N/E:ND/RL:OF/RC:C/CDP:ND/TD:ND/CR:H/IR:H/AR:ND)

References

Timeline

2014-03-21

  • Duo discovers issue internally, identifies and implements fix

2014-04-01

  • Release is posted on dl.duosecurity.com

2014-04-03

  • Advisory is drafted, Duo performs additional testing

2014-05-12

  • Advisory is shared with affected Enterprise customers

2014-05-20

  • Advisory is shared with affected Business customers
  • Version number incremented to reflect timeline update

2014-05-27

  • Advisory is shared with affected Personal and Trial customers
  • Version number incremented to reflect timeline update

Credits/Contact

Feedback regarding this issue should be sent to support@duosecurity.com and reference "DUO-PSA-2014-005" in the subject.

]]>
<![CDATA[DUO-PSA-2014-004: Duo Product Security Advisory]]> https://duo.com/labs/psa/duo-psa-2014-004 https://duo.com/labs/psa/duo-psa-2014-004 Wed, 12 Feb 2014 00:00:00 -0500

Duo Product Security Advisory

Advisory ID: DUO-PSA-2014-004
Original Publication Date: 2014-02-12
Revision Date: 2014-03-27
Status: Confirmed, Fixed
Document Revision: 3

Overview

Duo Security has identified an issue in which it is possible to bypass second factor authentication of multisite WordPress deployments which use the Duo WordPress plugin (prior to version 2.0).

Description

In a WordPress deployment using the “multisite” feature, WordPress allows members of different sites in the same network to authenticate through sites they are not a direct member of. In these deployments, if the Duo WordPress plugin is disabled globally -- but enabled on a site-by-site basis -- a member of a 2FA-enabled site may be able to bypass second factor authentication. Consider the following example:

A multisite WordPress deployment has two sites, Site1 and Site2, with the Duo WordPress plugin enabled for Site1 but disabled for Site2. Under normal circumstances, users logging into Site1 will be prompted for primary credentials and second-factor authentication; Site2 users will be prompted only for primary credentials. A Site1 user may force-browse to the login URL of Site2, which will authenticate the user (as part of the same Wordpress multisite network), and redirect them back to Site1, without prompting for second-factor authentication.

Note: This does not apply to single-site blogs.

Impact

A user with valid primary authentication credentials (username and password) may be able to bypass the second factor of authentication.

Affected Product(s)

Duo WordPress plugin 1.8.1 and earlier (only in multi-site deployments with Duo WordPress disabled globally and enabled on a site-by-site basis)

Solution

Install the Duo Security WordPress Integration version 2.2 or later on your WordPress host. The latest release can be downloaded from http://wordpress.org/plugins/duo-wordpress/. See /docs/wordpress for installation instructions.

Workaround

Due to the root cause/fix for this issue, Duo no longer recommends applying the workaround described in previous versions of this advisory.

Vulnerability Metrics

Vulnerability Class: Authentication Bypass Issue (CWE-592), Authentication Bypass Using an Alternate Path or Channel (CWE-288)
Remotely Exploitable: Yes
Authentication Required: Yes/Partial (first factor required; second factor bypassed)
Severity: Medium
CVSSv2 Overall Score: 5.5
CVSSv2 Group Scores: Base: 4.9, Temporal: 4.3, Environmental: 5.5
CVSSv2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:OF/RC:C/CDP:ND/TD:ND/CR:H/IR:H/AR:ND

References

Timeline

2014-02-06

  • Possible 2FA bypass in multisite Wordpress integration deployments identified by Duo (internally)
  • Duo Security begins investigation
  • Duo Security confirms issue, continues investigation

2014-02-12

  • Advisory is created, shared with affected Business and Enterprise customers

2014-02-13

  • New document revision (v2) - CVSSv2 score is lowered from 6.3 to 6 (due to workaround)
  • Advisory is created, shared with all affected customers

2014-03-26

2014-03-27

  • New document revision (v3) - CVSSv2 score is lowered from 6 to 5.5 (due to official fix), fixed duo_wordpress version and removed workaround recommendation
  • Advisory is updated, shared with all affected customers

Credits/Contact

Feedback regarding this issue should be sent to support@duosecurity.com and reference “DUO-PSA-2014-004” in the subject.

]]>
<![CDATA[DUO-PSA-2014-003: Duo Product Security Advisory]]> https://duo.com/labs/psa/duo-psa-2014-003 https://duo.com/labs/psa/duo-psa-2014-003 Mon, 27 Jan 2014 00:00:00 -0500

Duo Product Security Advisory

Advisory ID: DUO-PSA-2014-003
Publication Date: 2014-01-27
Status: Confirmed, Fixed
Document Revision: 2

Overview

Duo Security has identified an issue in which it is possible to bypass second factor authentication of Remote Desktop Protocol (RDP) integrations which are GINA-based (e.g. those installed on Windows XP/Server 2003).

Description

The RDP integration works to add two-factor authentication to Windows logins, both Remote Desktop and (optionally) the local console. When the user has provided valid credentials (username and password), the integration presents a second-factor authentication dialog. Under normal operation, when the second-factor authentication is successful, the user is logged on.

However, under certain circumstances (e.g. race conditions involving the user pressing "Ctrl-Alt-Delete" to interrupt a transitory dialog), the GINA framework would return an undocumented error, which was treated as a successful authentication.

Additionally, it was also identified that under these conditions, a thread used by the Duo integration would enter an undefined state. This could potentially lead to a crash in the Winlogon process, resulting in a Denial of Service (“blue screen”) of the host.

Impact

A user with valid primary authentication credentials (username and password) may be able to bypass the second factor of authentication.

Affected Product(s)

  • Duo RDP Integration (GINA-based) 1.1.3 and below running on Windows XP/Server 2003

Workaround

There is currently no workaround available for this issue.

Solution

Duo Security is currently working on an update to these integrations at the end of March 2014 that will cover these new transport mechanisms, to ensure two-factor authentication is enforced on all logins.

Vulnerability Metrics

Vulnerability Class: Authentication Bypass Issue (CWE-592), Unchecked Error Condition (CWE-391)
Remotely Exploitable: Yes
Authentication Required: Yes/Partial (first factor required; second factor bypassed)
Severity: High
CVSSv2 Overall Score: 7.2
CVSSv2 Group Scores: Base: 4.9, Temporal: 4.7, Environmental: 7.2
CVSSv2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:W/RC:C/CDP:LM/TD:ND/CR:H/IR:H/AR:ND

References

Timeline

2014-01-23

  • Customer reported possible RDS 2FA bypass to Duo Security
  • Duo Security acknowledges receipt of report, begins investigation
  • Duo Security confirms issue, continues investigation
  • Duo Security creates fix for issue in affected product

2014-01-24

  • Fixed GINA integration is released

2014-01-27

  • Advisory is created, shared with affected Duo Security Business and Enterprise customers

2014-02-04

  • Advisory is shared with affected Duo Security Personal customers

Credits/Contact

Feedback regarding this issue should be sent to security@duosecurity.com and reference "DUO-PSA-2014-003" in the subject.

]]>