8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
61.3%
Advisory ID: DUO-PSA-2019-002 **CVE:**CVE-2019-3465 **Publication Date:**2019-11-12 **Revision Date:**2019-11-12 **Status:**Confirmed, Fixed Document Revision: 1
A third-party software library, which the Duo Access Gateway (DAG) uses to enable SAML as a first-factor authentication source, contains a vulnerability that could allow an attacker to impersonate a user when authenticating to an application that is federated through the Duo Access Gateway. Version 1.5.10 of the Duo Access Gateway corrects this issue.
This vulnerability was identified during an independent third-party security audit of SimpleSAMLphp and was reported to the maintainers. An issue was identified in the way that xmlseclib, a library used by SimpleSAMLphp to perform XML signing and encryption operations, validates the SignedInfo element of a SAML response.
Specifically, it was possible for an attacker to include data within a SAML response that, while not actually signed, would be interpreted by SimpleSAMLphp as signed by an Identity Provider (IdP). This issue is only applicable to Duo Access Gateways that are configured to use a SAML Identity Provider as their authentication source. DAGs configured to use Active Directory for first-factor authentication are not affected.
This vulnerability could allow an attacker who is able to authenticate to the DAG and obtain a valid signature in a SAML response from an Identity Provider to specify a different username to a Service Provider than was originally used to authenticate. This could allow an attacker to impersonate other users when accessing applications already available to them through the DAG. If the impersonated username has a Duo bypass policy applied, then the attacker could potentially access any application federated by the DAG.
Duo Authentication Gateway (DAG) version 1.5.9 and below
Duo recommends that all customers using Duo Access Gateway, but especially those who use the DAG with a SAML Identity Provider, upgrade to the latest version, 1.5.10, as soon as possible.
Vulnerability Class: CWE-287: Improper Authentication **Remotely Exploitable:**Yes **Authentication Required:**Yes **Severity:**High **CVSSv2 Overall Score:**1.7 **CVSSv2 Group Scores:**Base: 6.5, Temporal: 5.1 CVSSv2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C/CDP:MH/TD:L/CR:M/IR:M/AR:L
Duo Security would like to thank the maintainers of SimpleSAMLphp for their help in remediating this issue.
If you have questions regarding this issue, please contact us at:
Or, reach out to your Customer Success Manager, as appropriate.
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
61.3%