Duo Product Security Advisory
Advisory ID: DUO-PSA-2018-001
Publication Date: 2018-03-06
Revision Date: 2018-03-06
Status: Confirmed, Fixed
Document Revision: 1
Overview
Duo has identified and fixed an issue with our public documentation on the Duo Unix integration. The suggested Pluggable Authentication Module (PAM) stack for the AIX operating system contained a logic bug that could allow for attackers to bypass secondary authentication. An attacker that had separately compromised a user's primary authentication credentials could then gain access without secondary authentication.
This issue is not a software flaw in Duo Unix, and does not require Duo Unix software updates. Applying the relevant configuration changes should be sufficient to remediate this issue.
Description
To protect the 'su' and 'sshd' Unix programs, Duo previously (until 2018-02-26) recommended including the following PAM configuration for the AIX operating system:
auth requisite pam_aix
auth sufficient /usr/lib/security/pam_duo.so
This would attempt primary authentication via the pam_aix PAM module and fail immediately if that was unsuccessful. Then, if primary authentication was successful, it would attempt 2FA via the pam_duo module.
The error is that the 'sufficient' PAM control flag does not return an authentication failure if that particular PAM module fails. Meaning, if the primary authentication was successful then PAM would be primed with a 'success' result, and would return that regardless of what pam_duo returned.
Impact
Configuring Duo Unix with the previously mentioned faulty PAM configuration causes Duo Unix to not enforce 2FA. Administrators should update their PAM configuration as soon as possible.
Affected Product(s)
Duo Unix, when configured for AIX systems following Duo's documented PAM configuration prior to 2018-02-26.
Solution
Changing the PAM control flag to 'required' will fix the issue:
auth requisite pam_aix
auth required /usr/lib/security/pam_duo.so
The complete recommended PAM configuration can be found here: https://duo.com/docs/duounix#pam-examples
Note that no changes to Duo Unix itself are required.
Vulnerability Metrics
Vulnerability Class: CWE-592: Authentication Bypass Issues
Remotely Exploitable: [Yes]
Authentication Required: [Partial]
Severity: [High]
CVSSv2 Overall Score: 5.7
CVSSv2 Group Scores: Base: 6.5, Temporal: 5.7
CVSSv2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:H/RL:OF/RC:C
Timeline
2018-02-23
- Duo identifies a potential documentation error for Duo Unix on AIX
- Duo confirms that the posted documentation won't properly secure PAM on AIX
2018-02-26
- Duo begins testing to understand root cause of PAM configuration issue
- Duo identifies an appropriate fix and performs additional testing
- duo.com is updated with fixed documentation to prevent new PAM issues
2018-03-06
- PSA is distributed to potentially impacted customers using Duo Unix on AIX
References
==========
- CWE-592: Authentication Bypass Issues - https://cwe.mitre.org/data/definitions/592.html
- Duo Unix Documentation - https://duo.com/docs/duounix
Credits/Contact
===============
If you have questions regarding this issue, please contact us at:
- support@duosecurity.com, referencing "DUO-PSA-2018-001" in the subject
- our phone line at +1(844)386.6748. International customers can find our toll-free numbers here: https://duo.com/about/contact.
Or, reach out to your Customer Success Manager, as appropriate.