Duo Product Security Advisory

Advisory ID: DUO-PSA-2018-003

Publication Date: 2018-05-31

Revision Date: 2018-05-31

Status: Confirmed, Fixed

Document Revision: 1





Overview

Duo has identified and fixed an issue with our documentation for the Duo Authentication Proxy integration with VMware Horizon View. The previously recommended configuration could allow a malicious user who had separately compromised a user's primary authentication credentials to gain access without secondary authentication. This issue has since been resolved in our official documentation.





Description

A Duo Security employee identified a secondary authentication bypass condition in the previous documentation (available until 2018-05-22) when the Duo Authentication Proxy performs secondary authentication and VMware Horizon View handles primary authentication independently. Because VMware Horizon View's implementation prompts secondary authentication before primary authentication, this could have allowed a malicious user to leverage a different user's primary credentials after successfully passing secondary authentication for their own account.





Impact

When configuring VMware Horizon View and the Duo Authentication Proxy with [duo_only_client], there is no relationship between the user who successfully performed a second-factor authentication with Duo and the user who submits their username and password. This configuration could have potentially allowed a malicious user to bypass a targeted user's secondary authentication by using their own and then submitting the target user's primary credentials.





Affected Product(s)

Duo Authentication Proxy (VMware Horizon View Integration)





Solution

In order to resolve this issue, we advise our customers who are using the VMware Horizon View integration to remove the [duo_only_client] section and configure the [ad_client] section in Duo Authentication Proxy configuration. Customers must also make sure to enable both "Enforce 2-factor and Windows user name matching" and "Use the same username and password for RADIUS and Windows authentication" in VMware Horizon View.



As a result, the Duo Authentication Proxy will require correct primary authentication credentials before triggering secondary authentication to make sure that the primary and secondary authentication credentials match. This configuration also ensures that VMware Horizon View will not allow a user to enter different login credentials during the primary authentication. Recommended main and alternate configurations can be found here:

- https://duo.com/docs/vmwareview

- https://duo.com/docs/vmwareview-alt



Please note that if you were using [duo_only_client] prior, the AD password reset feature with VMware Horizon View will no longer work with the updated [ad_client] configuration.





Vulnerability Metrics

Vulnerability Class: CWE-288: Authentication Bypass Using an Alternate Path or Channel

Remotely Exploitable: [Yes]

Authentication Required: [Partial]

Severity: [Medium]

CVSSv2 Overall Score: 6.0

CVSSv2 Group Scores: Base: 6.3, Temporal: 6.0

CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:N/A:N/E:F/RL:U/RC:C





Timeline

2018-05-15

A Duo employee identifies a potential security issue while troubleshooting a customer concern.

2018-05-16

Duo verifies the security issue exists and investigates the root cause of the problem.

2018-05-17

Duo performs internal testing to determine an appropriate remediation strategy.

Duo updates published documentation with an intermediate mitigation for the issue.

2018-05-18

Duo gathers more information on this issue through additional analysis & testing.

2018-05-22

Duo updates documentation with the final version of needed configuration changes.

2018-05-31

PSA is distributed to impacted customers to provide awareness of this documentation change.





References

CWE-288: Authentication Bypass Using an Alternate Path or Channel - https://cwe.mitre.org/data/definitions/288.html

VMware Horizon View and Duo Authentication Proxy setup documentation - https://duo.com/docs/vmwareview

VMware Horizon View and Duo Authentication Proxy alternate setup documentation - https://duo.com/docs/vmwareview-alt







Credits/Contact

If you have questions regarding this issue, please contact us at:

