Duo Product Security Advisory

Advisory ID: DUO-PSA-2014-004
Original Publication Date: 2014-02-12
Revision Date: 2014-03-27
Status: Confirmed, Fixed
Document Revision: 3

Overview

Duo Security has identified an issue in which it is possible to bypass second factor authentication of multisite WordPress deployments which use the Duo WordPress plugin (prior to version 2.0).

Description

In a WordPress deployment using the “multisite” feature, WordPress allows members of different sites in the same network to authenticate through sites they are not a direct member of. In these deployments, if the Duo WordPress plugin is disabled globally — but enabled on a site-by-site basis — a member of a 2FA-enabled site may be able to bypass second factor authentication. Consider the following example:

A multisite WordPress deployment has two sites, Site1 and Site2, with the Duo WordPress plugin enabled for Site1 but disabled for Site2. Under normal circumstances, users logging into Site1 will be prompted for primary credentials and second-factor authentication; Site2 users will be prompted only for primary credentials. A Site1 user may force-browse to the login URL of Site2, which will authenticate the user (as part of the same Wordpress multisite network), and redirect them back to Site1, without prompting for second-factor authentication.

Note: This does not apply to single-site blogs.

Impact

A user with valid primary authentication credentials (username and password) may be able to bypass the second factor of authentication.

Affected Product(s)

Duo WordPress plugin 1.8.1 and earlier (only in multi-site deployments with Duo WordPress disabled globally and enabled on a site-by-site basis)

Solution

Install the Duo Security WordPress Integration version 2.2 or later on your WordPress host. The latest release can be downloaded from http://wordpress.org/plugins/duo-wordpress/. See https://www.duosecurity.com/docs/wordpress for installation instructions.

Workaround

Due to the root cause/fix for this issue, Duo no longer recommends applying the workaround described in previous versions of this advisory.

Vulnerability Metrics

Vulnerability Class: Authentication Bypass Issue (CWE-592), Authentication Bypass Using an Alternate Path or Channel (CWE-288)
Remotely Exploitable: Yes
Authentication Required: Yes/Partial (first factor required; second factor bypassed)
Severity: Medium
CVSSv2 Overall Score: 5.5
CVSSv2 Group Scores: Base: 4.9, Temporal: 4.3, Environmental: 5.5
CVSSv2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:OF/RC:C/CDP:ND/TD:ND/CR:H/IR:H/AR:ND

References

CWE-592: Authentication Bypass Issues
CWE-288: Authentication Bypass Using an Alternate Path or Channel
WordPress Codex: Multisite

Timeline

2014-02-06

2014-02-12

2014-02-13

2014-03-26

2014-03-27

Credits/Contact

Feedback regarding this issue should be sent to support@duosecurity.com and reference “DUO-PSA-2014-004” in the subject.