Full Report
It’s too easy when hacking, to assume something is invulnerable and not interrogate it. This was the case for me when it came to Duo’s two-factor authentication solution. However, we were able to discover two variants of the same 2FA bypass. These rely on redirecting a victim’s push notifications to an attacker-controlled device, to authorise access to a victim account. Interactions with Duo had this fixed in record time, and were easily some of the best vendor/researcher interactions we’ve ever had. If you’re looking for their technical guidance around this, you can find it here.
Analysis Summary
## Vulnerability: Duo Two-Factor Authentication Push Notification Redirection Bypass
## CVE Details
- CVE ID: Not explicitly provided in the text. (Note: Subsequent Duo advisories typically cover these findings, but are not cited here.)
- CVSS Score: Not explicitly provided in the text.
- CWE: Likely related to IDOR (Insecure Direct Object Reference) or flawed session/transaction binding.
## Affected Systems
- Products: Duo Two-Factor Authentication (2FA) Solution, specifically the push notification mechanism utilized during authentication flows where session/transaction identifiers (`sid` or `txid`) are reused across user contexts.
- Versions: Not specified, but affected client applications/integrations that proxy 2FA verification requests to Duo.
- Configurations: Integrations that failed to properly bind the 2FA transaction context to the currently authenticated user identity, allowing substitution of specific transaction tokens (`sid` or `txid`).
## Vulnerability Description
Two variants of a 2FA bypass impacting Duo's push authentication flow were discovered. The core flaw lay in how the transaction context was managed during the push verification step:
1. **`sid` Replacement Bypass:** An attacker could capture the HTTP request body containing the `sid` parameter generated when an attacker account initiates a Duo push. By logging in as a victim, intercepting their subsequent 2FA request, and replacing the victim's `sid` with the attacker's captured `sid`, the attacker could trick Duo into sending the push notification to the attacker's registered device, despite authenticating as the victim.
2. **`txid` Replacement Bypass:** A more stable variant involved intercepting the transaction ID (`txid`) returned after a push notification was successfully requested (but before acceptance). An attacker could then accept the push on their device, drop the ensuing victim verification request, and inject the captured, already-accepted `txid` into the victim's login flow. This made Duo believe the victim had successfully authenticated via 2FA.
## Exploitation
- Status: Exploited against the researcher's test accounts. PoC mechanism/steps are detailed in the report.
- Complexity: Low to Medium. Requires valid victim credentials (username/password) and the ability to intercept and modify the victim's 2FA verification request.
- Attack Vector: Network (via man-in-the-middle/interception of the verification request).
## Impact
- Confidentiality: High (Gained unauthorized access to the victim's account).
- Integrity: High (Ability to perform actions as the victim).
- Availability: Low (Functionality of the MFA solution was temporarily broken for the victim).
## Remediation
### Patches
- The vendor (Duo) responded quickly and implemented fixes. Users should ensure they are running the latest versions of the Duo integration components/SDKs involved in the authentication flow. The vendor published technical guidance: `https://duo.com/labs/psa/duo-psa-2021-001` (Defanged URL).
### Workarounds
- No specific immediate workarounds were detailed by the researcher post-patch, as the bypasses were rendered ineffective by the vendor update.
- **General Mitigation:** Ensure that the session/transaction identifiers used for step-up authentication (like Duo Push) are cryptographically bound to the ongoing user session and are invalidated immediately upon completion or timeout, preventing substitution across different user flows.
## Detection
- **Indicators of Compromise:** Unexplained successful Duo Push approvals originating from a controlled device immediately following a password-based login attempt by a different user context.
- **Detection Methods and Tools:** Monitor application logs for anomalous reuse or substitution of `sid` or `txid` parameters in backend API calls related to 2FA verification.
## References
- Vendor Advisory: `https://duo.com/labs/psa/duo-psa-2021-001` (Defanged URL)
- Research Blog: SensePost | Duo Two-factor Authentication Bypass (Published 28 January 2021)