Duo Product Security Advisory

Advisory ID: DUO-PSA-2015-002
Original Publication Date: 2015-04-06
Revision Date: 2015-04-13
Status: Confirmed, Fixed
Document Revision: 2

Overview

Duo Security has identified an issue in recent versions of Duo Mobile for iOS that could allow attackers to perform a successful Man-in-the-Middle (MITM) attack against the app's TLS connections, if they can otherwise manipulate the network traffic exchanged between the mobile app and Duo's cloud service.

This issue has been fixed in Duo Mobile 3.7.1; all iOS users should update as soon as possible.

Description

On the iOS platform, Duo Mobile leverages AFNetworking - a widely-used third-party HTTP client library - to communicate with Duo's cloud service. Recently, it was determined that AFNetworking did not validate digital certificates against server hostnames by default. As a result, Duo Mobile would e.g. consider a digital certificate for "www.example.com" as valid for "api-XXXXXXXX.duosecurity.com" when establishing a TLS tunnel.

This behavior makes it possible for an attacker to perform a successful Man-in-the-Middle (MITM) attack against TLS connections from affected versions of Duo Mobile, if he can otherwise manipulate the network traffic exchanged between the mobile app and Duo's cloud service. This might be a risk, for example, when using Duo Mobile while connected to untrusted wi-fi networks.

However, in addition to TLS, Duo Mobile uses application-level signatures to ensure the integrity and authenticity of requests sent from Duo Mobile to Duo's service. Becauses of this mechanism, a MITM attack would still not generally allow an attacker to e.g. approve a fraudulent Duo Push authentication request.

Note: A different vulnerability was introduced into AFNetworking in version 2.5.1, and recently gained widespread attention. Duo Mobile currently uses AFNetworking version 2.3.1, and was therefore not affected by that particular vulnerability. This is a separate - if very similar - issue.

Impact

An attacker can perform a successful Man-in-the-Middle (MITM) attack against Duo Mobile's TLS connections if he can otherwise manipulate the network traffic exchanged between the mobile app and Duo's cloud service. Duo's application-level signing mechanism still generally prevents the attacker from e.g. approving fraudulent Duo Push authentication requests. However, there are some limitations to this technique:

• Duo Mobile cannot use application-level signatures when setting up a new account, because - at this point - the app has not yet negotiated a key-pair with Duo's service. If an attacker intercepted traffic from Duo Mobile during this process, he could gain the ability to generate valid one-time passcodes and exert full control over subsequent Duo Push authentication requests intended for the targeted device.
• Requests from Duo Mobile to Duo's service have application-level signatures, but responses from the service do not. It may therefore be feasible for an attacker to manipulate details of a fraudulent authentication request such that it appears legitimate, thereby tricking a user into approving it.

Affected Product(s)

• Duo Mobile for iOS, versions 3.4 - 3.7

Solution

Duo Mobile 3.7.1 was published to the iTunes App Store on April 6, 2015. This version ensures that certificate domain-name validation is performed for all TLS connections.

Users should upgrade to this version immediately to prevent the issues described above. Note that administrators can audit their users' Duo Mobile app versions in the "phones" section of the Duo administrative interface.

As noted above, there is a small risk that users' Duo Mobile credentials could be compromised, if an attacker captured network traffic from Duo Mobile during account setup. After users have upgraded, administrators may choose to forcibly invalidate any existing credentials by re-activating users' Duo Mobile accounts in the administrative interface.

Vulnerability Metrics

Vulnerability Class: Improper Certificate Validation (CWE-295)
Remotely Exploitable: Yes
Authentication Required: No
Severity: High
CVSSv2 Overall Score: 5.8
CVSSv2 Group Scores: Base: 6.8, Temporal: 5.9, Environmental: 5.8
CVSSv2 Vector: AV:A/AC:L/Au:N/C:C/I:P/A:N/E:H/RL:OF/RC:C/CDP:MH/TD:M/CR:M/IR:H/AR:M

References

• AFNetworking issue #2619
• CWE-295: Improper Certificate Validation
• Heartbleed Defense-in-Depth Part #2: Don't Trust SSL

Timeline

2015-04-02

• Engineers at Duo internally discover that Duo Mobile for iOS does not correctly validate server certificates.
• Duo develops a fix and submits an updated Duo Mobile 3.7.1 to the iTunes App Store.

2015-04-03

• Duo Mobile for iOS version 3.7.1 is approved by Apple

2015-04-06

• Duo completes testing on Duo Mobile for iOS 3.7.1 and releases it to end users.
• Duo drafts advisory and shares it with affected Enterprise and Business customers.

2015-04-13

• Duo updates advisory and shares it with all remaining customers.

Credits/Contact

Technical questions regarding this issue should be sent to support@duosecurity.com and reference "DUO-PSA-2015-002" in the subject.

Other feedback regarding this issue can be sent to security@duosecurity.com.