Advisory ID: DUO-PSA-2020-002
Publication Date: 2020-04-28
Revision Date: 2020-04-28
Status: Confirmed, Fixed
Document Revision: 1
Duo Engineering has identified and fixed an issue with directory sync for on-premises Microsoft Active Directory, OpenLDAP, and Azure Active Directory related to access rights of fully authenticated users. As a result of this issue, users who had been manually placed in a group and who were later synced as part of a directory-synced group continued to be part of the manually-created group. A successful sync should have removed them from the manually-created group. This issue could have allowed access that was previously granted to a user via the manual group to inadvertently persist, only if it was different from access granted by their synced groups. The issue was first discovered by Duo and was also reported to us by a customer, prior to completion of a fix. For customers synchronizing with on-premises directories, a fix was deployed on April 3, 2020. A fix for Azure was deployed in a rolling release between April 13 and April 23, 2020.
If you received this notification via email, Duo's analysis showed that you had at least one manually-created group whose permissions could affect users' security posture if they were not correctly removed from that group via a directory sync. Out of an abundance of caution, we directly notified all customers who met this criteria as of our analysis on April 8, 2020, to allow them to review their policies associated with manually-created groups. This is described below under “Solution.”
Duo allows groups to be created and managed in one of two ways: groups can be created and edited manually, or by synchronizing group information from a directory. These options are designed to be mutually exclusive; in particular, a user managed by directory sync cannot be added to manually-created groups. In addition, if a manually-created user later becomes sync-managed, that user’s existing memberships in manually-created groups should (as stated in Duo’s documentation) be removed.
However, an issue was identified in which sync-managed users who were previously manually added to a manually-created group were not removed from these groups after a directory sync as expected. When functioning correctly, the sync should remove synced users from all manually-created Duo groups and place them in the synced groups.
Group membership permissions are evaluated for both synced groups and manually-created groups. If a user is a member of both a synced group and a manually-created group, their permissions will be evaluated for both groups, one after the other. The order by which group permissions is evaluated is configurable by Duo administrators, so for users affected by this issue, their manual group permissions may or may not have been evaluated before their synced group permissions.
We are not aware of any malicious activity resulting from this issue. Based on our analysis, it appears that this issue has been present in Azure Active Directory sync since November 2016. For on-premises Active Directory/OpenLDAP, the issue was introduced on March 22, 2020, but fixed for all customers on April 3, 2020.
Failure to remove users from manually-created groups could have resulted in a situation where some users who were previously granted access via a manually-created group may have had this access inadvertently persist if the permissions of the users' manually-created group(s) were different from those of their synced group(s).
Directory sync for on-premises Microsoft Active Directory/OpenLDAP, and Azure Active Directory
Duo deployed a fix for this issue to all on-premises Microsoft Active Directory and OpenLDAP customers on April 3, 2020. A fix for Azure Active Directory customers was deployed in a rolling release between April 13 and April 23, 2020. The fix restores the original behavior where the users are correctly removed from manually-created groups when the sync is complete. In general, no additional action should be required from customers, as any previously-affected users should have been corrected by the sync process so long as a sync was able to successfully run.
We also recommend that administrators visit <https://admin.duosecurity.com/users/directorysync> to confirm that their directory sync is working successfully so that these fixes can take full effect. Additional activity logs related to directory sync can be found at <https://admin.duosecurity.com/logs/admin-actions>
Vulnerability Class: CWE-842: Placement of User into Incorrect Group
Remotely Exploitable: Yes
Authentication Required: Yes
CVSSv2 Overall Score: 5.5
CVSSv2 Group Scores: Base: 3.2, Temporal: 2.5
CVSSv2 Vector: AV:N/AC:H/Au:M/C:P/I:P/A:N/E:POC/RL:OF/RC:C/CDP:LM/TD:H/CR:H/IR:H/AR:ND
If you have questions regarding this issue, please contact us at: