Duo Security AdvisoriesDUO:8C74354D2A981FF1FE3DF7A760BB54BFDUO-PSA-2019-002: Duo Product Security Advisory
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
61.3%
Duo Product Security Advisory
Advisory ID: DUO-PSA-2019-002 **CVE:**CVE-2019-3465 **Publication Date:**2019-11-12 **Revision Date:**2019-11-12 **Status:**Confirmed, Fixed Document Revision: 1
Overview
A third-party software library, which the Duo Access Gateway (DAG) uses to enable SAML as a first-factor authentication source, contains a vulnerability that could allow an attacker to impersonate a user when authenticating to an application that is federated through the Duo Access Gateway. Version 1.5.10 of the Duo Access Gateway corrects this issue.
Description
This vulnerability was identified during an independent third-party security audit of SimpleSAMLphp and was reported to the maintainers. An issue was identified in the way that xmlseclib, a library used by SimpleSAMLphp to perform XML signing and encryption operations, validates the SignedInfo element of a SAML response.
Specifically, it was possible for an attacker to include data within a SAML response that, while not actually signed, would be interpreted by SimpleSAMLphp as signed by an Identity Provider (IdP). This issue is only applicable to Duo Access Gateways that are configured to use a SAML Identity Provider as their authentication source. DAGs configured to use Active Directory for first-factor authentication are not affected.
Impact
This vulnerability could allow an attacker who is able to authenticate to the DAG and obtain a valid signature in a SAML response from an Identity Provider to specify a different username to a Service Provider than was originally used to authenticate. This could allow an attacker to impersonate other users when accessing applications already available to them through the DAG. If the impersonated username has a Duo bypass policy applied, then the attacker could potentially access any application federated by the DAG.
Affected Product(s)
Duo Authentication Gateway (DAG) version 1.5.9 and below
Solution
Duo recommends that all customers using Duo Access Gateway, but especially those who use the DAG with a SAML Identity Provider, upgrade to the latest version, 1.5.10, as soon as possible.
Vulnerability Metrics
Vulnerability Class: CWE-287: Improper Authentication **Remotely Exploitable:**Yes **Authentication Required:**Yes **Severity:**High **CVSSv2 Overall Score:**1.7 **CVSSv2 Group Scores:**Base: 6.5, Temporal: 5.1 CVSSv2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C/CDP:MH/TD:L/CR:M/IR:M/AR:L
Timeline
2019-11-04
- 08:14 ET - Duo becomes aware of a vulnerability in SimpleSAMLphp that potentially affects the DAG
- 14:08 ET - Duo contacts the SimpleSAMLphp maintainers requesting additional details about the vulnerability
2019-11-05
- 02:48 ET - Duo receives a response from the maintainers with additional detail regarding the vulnerability
- 08:15 ET - Duo begins reviewing the issue to determine if the DAG is impacted
- 10:15 ET - After analysis of the issue, Duo believes the DAG is likely affected and begins working on a new release containing the fix
- 16:28 ET - Duo begins the build and test process for creating a release candidate of the DAG
2019-11-06
- 08:37 ET - Duo is able to use a proof of concept exploit to confirm that the DAG release candidate build with the fix is not vulnerable
- 12:00 ET - Duo releases DAG version 1.5.10 and makes it available to customers
2019-11-12
- Duo distributes PSA to potentially impacted customers
References
- CWE-287: Improper Authentication - <https://cwe.mitre.org/data/definitions/287.html>
- How to update the Duo Access Gateway for Windows - <https://duo.com/docs/dag-windows>
- How to update the Duo Access Gateway for Linux - <https://duo.com/docs/dag-linux>
- Duo Access Gateway Release Notes - <https://duo.com/docs/dag-notes>
- SimpleSAMLphp Security Advisory - <https://simplesamlphp.org/security/201911-01>
Credits/Contact
Duo Security would like to thank the maintainers of SimpleSAMLphp for their help in remediating this issue.
If you have questions regarding this issue, please contact us at:
- [email protected], referencing "DUO-PSA-2019-002" in the subject
- our phone line at +1(844) 386.6748. International customers can find our toll-free numbers here: <https://duo.com/about/contact>.
Or, reach out to your Customer Success Manager, as appropriate.
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
61.3%