Penetration testers were able to bypass Duo Security’s two-factor authentication (2FA) controls during a client engagement after using a neat but certainly not threatening hack.
Shaun Kammerling and Michael Kruger of Orange Cyberdefense’s SensePost team discovered that, providing an attacker had access to a user’s login details and 2FA credentials, it was possible to log into a different user’s account without physical access to the victim’s authentication device.
The trick only worked with two accounts on the same Duo deployment, but the researchers were able to redirect a victim’s 2FA push notifications to an attacker-controlled device, which allowed them to authorize access to the victim account.
The vulnerability arises because of deficiencies in how session information is managed during 2FA using Duo’s technology.
Bypassing authentication
The SensePost team reported the issue to Duo in December 2020, and the security vendor acted promptly to resolve the problem.
Months went by to allow the changes to bed in, and the potential impact of the problem to be assessed, before both Duo and the researchers went public with details of the issue.
In an advisory, Duo explained the root cause of the problem:
When a user authenticated with a second factor, the state representing that authentication was not tied to the current user’s session.
Therefore, an attacker could reuse state information from a successful second factor authentication to bypass the two-factor authentication requirement of another user.
Duo Security, a Cisco System owned business since 2018, fixed the problem on December 15, 2020, just a day after it was reported. The fix came in automatically, so customers didn’t have to do anything.
‘No malicious activity’
A subsequent audit by Duo “found no evidence of any customer impact stemming from this issue”.
“Apart from verifying researcher testing, we identified one instance out of billions of authentication events where this issue may have been encountered, and, upon further investigation, have no indication this was a result of malicious activity,” it said.
Full technical details can be found on the Orange Cyberdefense blog.
The Daily Swig asked the researchers to comment on what lessons might be drawn from the incident. No word back as yet but we’ll update this story as and when more information comes to hand.
Source: https://portswigger.net/daily-swig/researchers-trick-duo-2fa-into-sending-authentication-request-to-attacker-controlled-device
