# Duo Product Security Advisory **Advisory ID:** DUO-PSA-2016-001 **Original Publication Date:** 2016-05-11 **Revision Date:** 2016-05-23 **Status:** Confirmed, Fixed **Document Revision:** 3 ## Overview Duo Security has identified multiple issues in the Duo Authentication Proxy which, under certain configurations, could enable attackers to partially or fully bypass user authentication. Duo has no evidence that these vulnerabilities have actively been exploited. These issues have been resolved in version 2.4.17 of the Duo Authentication Proxy. Customers using an affected configuration (see "Solution" section below) should update to this version as soon as possible. ## Description Two authentication bypass issues have been identified in certain Authentication Proxy configurations. Duo believes that these configurations are relatively uncommon; however, we strongly recommend that all customers using an affected configuration update the Authentication Proxy. ### LDAP Client: If a Duo Authentication Proxy is configured to use an LDAP directory (Active Directory, OpenLDAP, etc.) for primary authentication, an attacker may in certain cases cause the Authentication Proxy to erroneously attempt to perform user authentication with an "unauthenticated BIND". Some LDAP implementations (e.g. Active Directory) unconditionally permit unauthenticated BIND operations. As a result, if an attacker can trigger this scenario - by sending an empty password - he will be able to partially or fully bypass authentication. In particular, when the Authentication Proxy is configured as an LDAP-to-LDAP proxy, and set up to allow users to concatenate passwords with Duo passcodes (e.g. by typing ",123456"), an attacker may fully bypass authentication by logging in with a blank password (e.g. ",123456"). Otherwise, when the Authentication Proxy is configured as a RADIUS-to-LDAP proxy, and configured to use "plain" authentication, then an attacker may be able to bypass primary authentication (but not Duo) by logging in with a blank password. ### RADIUS PEAPv1/GTC Server: An issue has been found in the Authentication Proxy's implementation of RADIUS PEAPv1/GTC authentication, which is primarily used to support NetMotion Wireless integrations. In cases where users are otherwise not required to complete Duo authentication, the Authentication Proxy does not properly validate the results of primary authentication. This may occur, for example, if the associated application in Duo is configured with a "new user policy" of "Allow Access", or if the Authentication Proxy is configured with a failmode of "safe" and cannot communicate with Duo's service. Additionally, for a new user policy of "Require Enrollment", users unrecognized by Duo may be permitted to enroll (but not login) without successfully completing primary authentication. ## Impact Attackers may be able to partially or fully bypass authentication on systems that authenticate users via affected configurations of the Duo Authentication Proxy. ## Affected Product(s) Take the following steps to determine whether your configuration may be affected: **1\. Open your authproxy.cfg file.** * Windows: C:\Program Files (x86)\Duo Security Authentication Proxy\conf\authproxy.cfg * Linux: /opt/duoauthproxy/conf/authproxy.cfg **2\. Check for the following fields:** * If you have a section marked [ldap_server_auto], you must upgrade your Duo Authentication Proxy to version 2.4.16 or later. * If you have a section marked [ad_client], check to see if you have the following value beneath it: auth_type=plain. If you have this value, you must upgrade your Duo Authentication Proxy to version 2.4.16 or later. * If you have a section marked [radius_server_eap], you must upgrade your Duo Authentication Proxy to version 2.4.17 or later. ## Solution Customers using an affected configuration should upgrade to the latest version of the Duo Authentication Proxy as discussed above. Download the latest version from: * Windows: <https://dl.duosecurity.com/duoauthproxy-latest.exe> * Linux: <https://dl.duosecurity.com/duoauthproxy-latest-src.tgz> For more information on upgrading the Authentication Proxy, see <https://duo.com/docs/authproxy-reference#upgrading-the-proxy> ## Vulnerability Metrics ### LDAP Client: **Vulnerability Class:** CWE-230: Improper Handling of Missing Values **Remotely Exploitable:** Yes **Authentication Required:** No **Severity:** Critical **CVSSv2 Overall Score:** 6.9 **CVSSv2 Group Scores:** Base: 8.8, Temporal: 6.9 **CVSSv2 Vector:** (AV:N/AC:M/Au:N/C:C/I:C/A:N/E:POC/RL:OF/RC:C) ### RADIUS PEAPv1/GTC Server: **Vulnerability Class:** CWE-391: Unchecked Error Condition **Remotely Exploitable:** Yes **Authentication Required:** No **Severity:** High **CVSSv2 Overall Score:** 4.5 **CVSSv2 Group Scores:** Base: 5.8, Temporal: 4.5 **CVSSv2 Vector:** (AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C) ## References * [**LDAP Unauthenticated Mechanism Security Considerations**](<https://tools.ietf.org/html/rfc4513#section-6.3.1>) * [**CWE-230: Improper Handling of Missing Values**](<https://cwe.mitre.org/data/definitions/230.html>) * [**CWE-391: Unchecked Error Condition**](<https://cwe.mitre.org/data/definitions/391.html>) ## Timeline ### 2016-05-05 * Duo privately receives report of a security vulnerability in the Authentication Proxy * Duo acknowledges receipt of report and begins investigation ### 2016-05-09 * Engineers at Duo confirm the issue and begin investigating potential fixes ### 2016-05-10 * Duo completes development and testing of fixes ### 2016-05-11 * Advisory released to paid Duo customers ### 2016-05-11 * Duo privately receives report of an additional authentication bypass issue in the Authentication Proxy * Duo acknowledges receipt of additional report and begins investigation ### 2016-05-12 * Engineers at Duo confirm the second report and begin investigating potential fixes ### 2016-05-13 * Duo completes development and testing of new fixes ### 2016-05-16 * Advisory revised and re-released to paid Duo customers ### 2016-05-23 * Advisory released to non-paid Duo customers ## Credits/Contact Technical questions regarding this issue should be sent to [firstname.lastname@example.org](<mailto:email@example.com>) and reference "DUO-PSA-2016-001" in the subject, or to your Customer Success Manager, if appropriate. Duo Security would like to thank Ashley Bartlett of the Atlassian Workplace Technology team for reporting the LDAP issue. Duo Security would like to thank Tom Weston at Teneo for reporting the RADIUS PEAPv1/GTC issue.