Researchers trick Duo 2FA into sending authentication request to attacker-controlled device

Something you know, something you hack

UPDATED Penetration testers were able to bypass Duo Security’s two-factor authentication (2FA) controls during a client engagement after using a neat but certainly not threatening hack.

Shaun Kammerling and Michael Kruger of Orange Cyberdefense’s SensePost team discovered that, providing an attacker had access to a user’s login details and 2FA credentials, it was possible to log into a different user’s account without physical access to the victim’s authentication device.

The trick only worked with two accounts on the same Duo deployment, but the researchers were able to redirect a victim’s 2FA push notifications to an attacker-controlled device, which allowed them to authorize access to the victim account.

The vulnerability arises because of deficiencies in how session information is managed during 2FA using Duo’s technology.

Bypassing authentication

The SensePost team reported the issue to Duo in December 2020, and the security vendor acted promptly to resolve the problem.

Months went by to allow the changes to bed in, and the potential impact of the problem to be assessed, before both Duo and the researchers went public with details of the issue.

In an advisory, Duo explained the root cause of the problem:

When a user authenticated with a second factor, the state representing that authentication was not tied to the current user’s session.

Therefore, an attacker could reuse state information from a successful second factor authentication to bypass the two-factor authentication requirement of another user.

Duo Security, a Cisco Systems owned business since 2018, fixed the problem on December 15, 2020, just a day after it was reported. The fix came in automatically, so customers didn’t have to do anything.

‘No malicious activity’

A subsequent audit by Duo “found no evidence of any customer impact stemming from this issue”.

“Apart from verifying researcher testing, we identified one instance out of billions of authentication events where this issue may have been encountered, and, upon further investigation, have no indication this was a result of malicious activity,” it said.

Full technical details can be found on the Orange Cyberdefense blog.

In response to questions from The Daily Swig about the 2FA bypass find, Sensepost's Leon Jacobs offered a short synopsis.

"In short there was a state issue tying a user's session with a 2FA attempt," Jacobs explained. "Impact wise, if an attacker was on the same Duo deployment, they could bypass 2FA by redirecting prompts to their own device."

This story was updated to add comment from Sensepost's Leon Jacobs

READ MORE Cockpit CMS flaws exposed web servers to NoSQL injection exploits