CVE-2022-20662

2022-09-3019:15:10

CWE-287

cisco

web.nvd.nist.gov

cisco duo

macos

vulnerability

smart card

authentication

bypass

nvd

cve-2022-20662

CVSS3

6.8

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.5

Confidence

High

EPSS

0.001

Percentile

25.7%

JSON

A vulnerability in the smart card login authentication of Cisco Duo for macOS could allow an unauthenticated attacker with physical access to bypass authentication. This vulnerability exists because the assigned user of a smart card is not properly matched with the authenticating user. An attacker could exploit this vulnerability by configuring a smart card login to bypass Duo authentication. A successful exploit could allow the attacker to use any personal identity verification (PIV) smart card for authentication, even if the smart card is not assigned to the authenticating user.

Affected configurations

Nvd

Node

ciscoduoRange<2.0.0macos

VendorProductVersionCPE
ciscoduo*cpe:2.3:a:cisco:duo:*:*:*:*:*:macos:*:*

Vendor	Product	Version	CPE
cisco	duo	*	cpe:2.3:a:cisco:duo::::::macos::*

CNA Affected

[
  {
    "product": "Cisco Duo",
    "vendor": "Cisco",
    "versions": [
      {
        "status": "affected",
        "version": "n/a"
      }
    ]
  }
]