Duo Product Security Advisory
Advisory ID: DUO-PSA-2016-001
Original Publication Date: 2016-05-11
Revision Date: 2016-05-23
Status: Confirmed, Fixed
Document Revision: 3
Overview
Duo Security has identified multiple issues in the Duo Authentication Proxy which, under certain configurations, could enable attackers to partially or fully bypass user authentication. Duo has no evidence that these vulnerabilities have actively been exploited.
These issues have been resolved in version 2.4.17 of the Duo Authentication Proxy. Customers using an affected configuration (see "Solution" section below) should update to this version as soon as possible.
Description
Two authentication bypass issues have been identified in certain Authentication Proxy configurations. Duo believes that these configurations are relatively uncommon; however, we strongly recommend that all customers using an affected configuration update the Authentication Proxy.
LDAP Client:
If a Duo Authentication Proxy is configured to use an LDAP directory (Active Directory, OpenLDAP, etc.) for primary authentication, an attacker may in certain cases cause the Authentication Proxy to erroneously attempt to perform user authentication with an "unauthenticated BIND". Some LDAP implementations (e.g. Active Directory) unconditionally permit unauthenticated BIND operations. As a result, if an attacker can trigger this scenario - by sending an empty password - he will be able to partially or fully bypass authentication.
In particular, when the Authentication Proxy is configured as an LDAP-to-LDAP proxy, and set up to allow users to concatenate passwords with Duo passcodes (e.g. by typing "
Otherwise, when the Authentication Proxy is configured as a RADIUS-to-LDAP proxy, and configured to use "plain" authentication, then an attacker may be able to bypass primary authentication (but not Duo) by logging in with a blank password.
RADIUS PEAPv1/GTC Server:
An issue has been found in the Authentication Proxy's implementation of RADIUS PEAPv1/GTC authentication, which is primarily used to support NetMotion Wireless integrations. In cases where users are otherwise not required to complete Duo authentication, the Authentication Proxy does not properly validate the results of primary authentication. This may occur, for example, if the associated application in Duo is configured with a "new user policy" of "Allow Access", or if the Authentication Proxy is configured with a failmode of "safe" and cannot communicate with Duo's service. Additionally, for a new user policy of "Require Enrollment", users unrecognized by Duo may be permitted to enroll (but not login) without successfully completing primary authentication.
Impact
Attackers may be able to partially or fully bypass authentication on systems that authenticate users via affected configurations of the Duo Authentication Proxy.
Affected Product(s)
Take the following steps to determine whether your configuration may be affected:
1. Open your authproxy.cfg file.
- Windows: C:\Program Files (x86)\Duo Security Authentication Proxy\conf\authproxy.cfg
- Linux: /opt/duoauthproxy/conf/authproxy.cfg
2. Check for the following fields:
- If you have a section marked [ldap_server_auto], you must upgrade your Duo Authentication Proxy to version 2.4.16 or later.
- If you have a section marked [ad_client], check to see if you have the following value beneath it: auth_type=plain. If you have this value, you must upgrade your Duo Authentication Proxy to version 2.4.16 or later.
- If you have a section marked [radius_server_eap], you must upgrade your Duo Authentication Proxy to version 2.4.17 or later.
Solution
Customers using an affected configuration should upgrade to the latest version of the Duo Authentication Proxy as discussed above. Download the latest version from:
- Windows: https://dl.duosecurity.com/duoauthproxy-latest.exe
- Linux: https://dl.duosecurity.com/duoauthproxy-latest-src.tgz
For more information on upgrading the Authentication Proxy, see https://duo.com/docs/authproxy-reference#upgrading-the-proxy
Vulnerability Metrics
LDAP Client:
Vulnerability Class: CWE-230: Improper Handling of Missing Values
Remotely Exploitable: Yes
Authentication Required: No
Severity: Critical
CVSSv2 Overall Score: 6.9
CVSSv2 Group Scores: Base: 8.8, Temporal: 6.9
CVSSv2 Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:N/E:POC/RL:OF/RC:C)
RADIUS PEAPv1/GTC Server:
Vulnerability Class: CWE-391: Unchecked Error Condition
Remotely Exploitable: Yes
Authentication Required: No
Severity: High
CVSSv2 Overall Score: 4.5
CVSSv2 Group Scores: Base: 5.8, Temporal: 4.5
CVSSv2 Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C)
References
- LDAP Unauthenticated Mechanism Security Considerations
- CWE-230: Improper Handling of Missing Values
- CWE-391: Unchecked Error Condition
Timeline
2016-05-05
- Duo privately receives report of a security vulnerability in the Authentication Proxy
- Duo acknowledges receipt of report and begins investigation
2016-05-09
- Engineers at Duo confirm the issue and begin investigating potential fixes
2016-05-10
- Duo completes development and testing of fixes
2016-05-11
- Advisory released to paid Duo customers
2016-05-11
- Duo privately receives report of an additional authentication bypass issue in the Authentication Proxy
- Duo acknowledges receipt of additional report and begins investigation
2016-05-12
- Engineers at Duo confirm the second report and begin investigating potential fixes
2016-05-13
- Duo completes development and testing of new fixes
2016-05-16
- Advisory revised and re-released to paid Duo customers
2016-05-23
- Advisory released to non-paid Duo customers
Credits/Contact
Technical questions regarding this issue should be sent to support+ap@duosecurity.com and reference "DUO-PSA-2016-001" in the subject, or to your Customer Success Manager, if appropriate.
Duo Security would like to thank Ashley Bartlett of the Atlassian Workplace Technology team for reporting the LDAP issue. Duo Security would like to thank Tom Weston at Teneo for reporting the RADIUS PEAPv1/GTC issue.