-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION Duo Product Security Advisory ============================= Advisory ID: DUO-PSA-2017-001 Publication Date: 2017-03-14 Revision Date: 2017-03-14 Status: Confirmed, Fixed Document Revision: 1 Overview ======== Duo has identified and fixed an issue in our cloud service which, under certain configurations, could have enabled attackers who have separately compromised a user's primary credentials to add additional unauthorized second-factor authentication devices or modify previously-registered devices for that user. The issue only affects a subset of customers who have enabled the Self-Service and Device Management Portal on their applications. Duo resolved this issue within 24 hours of the report by deploying a fix to our cloud service that correctly enforces authentication in all cases prior to accessing the options to add/remove/change authentication devices associated with a user account. Duo has confirmed with certainty that there were no attacks against this vulnerability on or after 2016-11-16, and has found no evidence suggesting that this vulnerability was ever exploited prior to that date. However, in the interest of transparency, we are sharing any activities performed through the Self-Service and Device Management Portal for which the possibility of an attack cannot be completely ruled out. If you have received this notification, Duo has flagged these activity patterns for your account. Again, there is no evidence that these are malicious activities, but you may choose to review these activities and/or take further actions, as described below. Description =========== Duo's cloud service contains two optional features called the Self-Service Portal and the Device Management Portal which allow users to manage their own Duo accounts and enrolled authentication devices. On applications where either feature is enabled, an attacker who also had access to a user's primary credentials could have gained access to the portion of the portal where users can manage (add/change/remove) authentication devices by initiating - but not successfully completing - a second factor authentication, then crafting and loading a special URL. Impact ====== Duo has found no evidence that this vulnerability was ever exploited. A thorough analysis of detailed operational logs has confirmed that there were no attacks against this vulnerability from 16-Nov-2016 until the vulnerability was patched on 10-Feb-2017. A further analysis of less-granular operational logs prior to 16-Nov-2016 affirms that the vast majority of Duo customers and users were never impacted. In a successful attack, an adversary who had previously compromised a user's primary credentials may have been able to add authentication devices or modify previously-registered authentication devices for that user, ultimately leading to bypass of second-factor authentication. For a small subset of Duo users and customers, we have identified activity patterns prior to 16-Nov-2016 that could be consistent with either legitimate user activity or exploitation of this vulnerability. There is not enough information in our logs to allow us to distinguish between these two cases. After manually reviewing these log patterns, we strongly believe they are, in all cases, the result of legitimate user activity (eg. adding, modifying, removing authentication devices) and represent false positives. Nonetheless, as we value transparency in security, we are presenting the complete list of the user activity to impacted customers so that they can determine for themselves whether to perform further review and/or take proactive action (eg. re-enroll those users). Customers receiving this notification can use the Duo Administrator Panel to find the list of user activities for review and potential follow-up action at https://admin.duosecurity.com/psa/DUO-PSA-2017-001. Affected Product(s) =================== Affected configurations include any applications that enabled the Device Management / Self-Service Portal features with Duo's service. Solution ======== A fix that correctly enforces authentication in the Self-Service Portal and Device Management Portal has been deployed to Duo's cloud service. No action is necessary for customers to resolve the issue. Customers can perform further review of user activity and/or take proactive action in Duo Administrator Panel at https://admin.duosecurity.com/psa/DUO-PSA-2017-001. Vulnerability Metrics ===================== Vulnerability Class: CWE-592: Authentication Bypass Issues Remotely Exploitable: [Yes] Authentication Required: [Partial] Severity: [High] CVSSv2 Overall Score: 6.5 CVSSv2 Group Scores: Base: 7.9, Temporal: 6.5 CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:N/E:F/RL:OF/RC:C References ========== * CWE-592: Authentication Bypass Issues - https://cwe.mitre.org/data/definitions/592.html * Duo Self-Service Portal - https://duo.com/docs/self-service-portal * Duo Device Management Portal - https://duo.com/docs/device-management Timeline ======== 2017-02-09 * Duo privately receives report of a security vulnerability in the Self-Service Portal and Device Management Portal * Duo acknowledges receipt of report and begins investigation * Duo confirms vulnerability exists * Duo begins development of a patch 2017-02-10 * Duo confirms the vulnerability with the reporting party * Duo commits and tests a fix * Fix is deployed to all Duo cloud deployments, closing off the vulnerability for all customers * Duo begins retrospective evaluation for all possible indicators that the vulnerability might have been exploited 2017-02-14 * Duo confirms via retrospective analysis that no attacks have occurred in previous 90 days, begins search back toward origin of vulnerability in March 2014 2017-02-22 * Duo concludes retrospective evaluation for all possible indicators that the vulnerability might have been exploited * Duo begins developing functionality to allow customers to access information about flagged user activities and, if desired, disable logins and require re-enrollment for these users 2017-03-06 * Duo completes development of remediation functionality, and begins testing/deployment 2017-03-13 * Deployment of remediation functionality completed 2017-03-14 * PSA distributed to potentially impacted customers Credits/Contact =============== If you have questions regarding this issue, please contact us at: * support@duosecurity.com, referencing "DUO-PSA-2017-001" in the subject * our phone line at +1(844)386.6748. International customers can find our toll-free numbers here: https://duo.com/about/contact. Or, reach out to your Customer Success Manager, as appropriate. Duo Security would like to thank Brian W. Gray of Carnegie Mellon University for reporting this issue and the Carnegie Mellon Identity Services team for their assistance throughout. -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJYxvu2AAoJEEcOFkS+z+1xJ5cP/1Lpzk5PDeYqFNvegdEIhDCs 3/+z98rNVhdBgAwnYCdWSgk2KG4WkNacRClQmimmPBu7V6x0sb1iHSYoANUtn6SX UtTDuoWQYG7QsayRDJYmMVIy+njnVQSPBeJhIpdSAYmxi07gimnWzQNExL8WGzb1 MtxdYXu55zLK7a6Tkkdy+jAPlXTUAsTEe55Rf5IRTJqjqySLHaqZBs30h5Ad48qv 7rL9h1hfesuyVf43Vs2mhHzRvpm5/e6Gp7Bq+I2KH6OLaFQidM2fm4ZF25LT07xA o5LIES1OumJwSK4gLXUOIUjI6MA/GrGoeuZN/o5pKVwgJI1sQPdANjVoXAudlPoe vHzyWaUXz/3pLXSl4evxZ8tgIQO5YbVcqgIUYgFMWN+vZg6rEydZS6h/SoG74J1c oldtkky5QVk8Fw3ewDmD5Lt19kMBOxyfHFIJixjQvqqn+g2onIdXjp468VsrwI++ X+BefK48DzUQpB0uUTPpwVMFB0R1KsvfBQSx/clZeK1Vs9FXxjcK4pZrSNOmKw9c SKnkRnYlf3279nBUA8dZGkifs4oBHfoGwsU9/y+h1B7SBEdVm4WSbekHZv/C1Axn N/qTAZVBnTAYWv8orat8DfeaPBzsXA/UzaXw4YylACtEEsILO06ehwwlcaVVxAY/ aSVKjAyPtTusnL+6/nGP =LdHM -----END PGP SIGNATURE-----