Advisory ID: DUO-PSA-2015-001
Original Publication Date: 2015-02-03
Revision Date: 2015-02-10
Status: Confirmed, Fixed
Document Revision: 3
Duo Security has identified an issue in certain versions of the Duo Web SDK that could allow attackers to bypass primary and secondary authentication if they have separately gained access to the Duo integration's secret key, and can create valid usernames containing pipe characters ('|').
Note: This issue does not affect any Duo-authored integrations; it only affects custom integrations developed using affected versions of the Web SDK.
Duo's Web SDK requires two secret values: the integration secret key (SKEY) and an application secret key (AKEY). The SKEY is shared between Duo and the application incorporating the Web SDK integration, while the AKEY must be known only to the application.
Both of these values must be kept confidential. In the unlikely event that attackers could gain access to the SKEY, he could use it to bypass secondary authentication. However, the Duo Web SDK incorporates an additional mechanism, using the AKEY, to ensure that attackers would only be able to use the SKEY to bypass secondary authentication; i.e. they would still need access to a target user's primary credentials (or to the AKEY itself) to log in.
Recently, Duo Security became aware of an issue in which certain versions of the Web SDK perform insufficiently-strict validation of responses from Duo's service. This issue could allow attackers to bypass this AKEY-based protection in an application using an affected version of the Web SDK, if they have separately gained access to the integration's confidential SKEY and can also create a valid user account with a username containing pipe characters ('|').
With affected versions of the Duo Web SDK, attackers may be able to bypass primary and secondary authentication if they can both:
The Web SDK's design relies on the SKEY being kept confidential; this issue can only be exploited in cases where a core security requirement has already been violated. As such, Duo Security considers the overall severity of this issue to be low.
Duo Web SDKs for:
The Web SDKs for Python, ASP Classic, ASP.NET, and NodeJS were not affected.
In addition, while Duo provides some integrations that incorporate affected versions of the Web SDK (for Confluence, Jira, Shibboleth, MediaWiki, Wordpress, and Drupal), we have determined that none of these integrations are affected by this issue.
For customers using custom integrations developed with affected versions of the Web SDK: update to the latest Web SDK.
All affected versions of the Web SDK have been patched to strictly validate responses, and reject usernames that contain pipe characters. The latest versions of the Web SDK can be found at:
Applications may mitigate this issue (without updating the Web SDK) if they either:
Vulnerability Class: Improper Handling of Extra Parameters (CWE-235)
Remotely Exploitable: Yes
Authentication Required: No
CVSSv2 Overall Score: 4.5
CVSSv2 Group Scores: Base: 4, Temporal: 3.3, Environmental: 4.5
CVSSv2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C/CDP:ND/TD:ND/CR:H/IR:H/AR:H
Duo Security would like to thank the team at Sakurity for discovering and reporting this issue.
Technical questions regarding this issue should be sent to firstname.lastname@example.org and reference "DUO-PSA-2015-001" in the subject.
Other feedback regarding this issue can be sent to email@example.com.