Your message dated Wed, 31 May 2017 21:09:45 +0000
with message-id <[email protected]>
and subject line Bug#863831: fixed in duo-unix 1.9.21-1
has caused the Debian Bug report #863831,
regarding libpam-duo: Security issue reported with versions prior to 1.9.21;
need package updated
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
863831: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863831
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libpam-duo
Version: 1.9.18-1~sbp80+1
Severity: important
Dear Maintainer,
This is from Duo Security:
Duo Product Security Advisory
=============================
Advisory ID: DUO-PSA-2017-002
Publication Date: 2017-05-31
Revision Date: 2017-05-31
Status: Confirmed, Fixed
Document Revision: 1
Overview
Duo Security has identified an issue in duo_unix, which, under certain
uncommon configurations, could enable attackers to bypass second-factor
user authentication. Duo has no evidence that this vulnerability has
actively been exploited and we believe this specific configuration is
extraordinarily uncommon.
This issue was resolved in version 1.9.21 of duo_unix. Customers using an
affected configuration should update to the latest version as soon as
possible (see "Solution" section below).
Description
Prior to version 1.9.21, duo_unix (which includes both login_duo and
pam_duo), supported setting an HTTP proxy configuration through the
standard 'http_proxy' environment variable. Under some uncommon
configurations (examples listed below), however, it is possible for an
untrusted user to set a value for the 'http_proxy' variable prior to
initiating a Duo authentication attempt.
If an invalid proxy host (e.g. '0.0.0.0') is selected, then
login_duo/pam_duo will ultimately fail to connect to Duo's API, and as a
result, trigger the configured "failmode" behavior. If "failmode" is set
to "safe" (which is the default), then this could result in a bypass of
second-factor authentication.
Duo has identified two specific configuration scenarios in which an
untrusted user may be able to control the value of the 'http_proxy'
environment variable.
1. login_duo with nonstandard sshd "AcceptEnv" configurations:
OpenSSH can permit clients to forward environment variables to servers. By
default, OpenSSH server distributions generally allow only a whitelisted
set of variables (which does not include 'http_proxy') to be forwarded in
this way. It is possible, however, for an administrator to configure a
less-restrictive policy using the AcceptEnv keyword in sshd_config.
If a server has been configured with a non-default AcceptEnv policy that
permits clients to send an 'http_proxy' environment variable, and is using
login_duo to add Duo 2FA to ssh logins, then this configuration could
result in a bypass of Duo 2FA.
This scenario only applies to login_duo; when used with OpenSSH, pam_duo
is unaffected by this issue.
2. pam_duo with local authentication (e.g. su / sudo):
While pam_duo is not affected by this issue when used with OpenSSH, when
pam_duo is being used to perform 2FA in other contexts - particularly, to
authenticate system-local actions performed by untrusted users - it may be
possible for untrusted users to control the value of the 'http_proxy'
environment variable prior to initiating an authentication attempt.
In particular, Duo has confirmed that configurations which use pam_duo to
add Duo 2FA to the "su" and "sudo" commands are impacted by this issue.
Version 1.9.21 of duo_unix has been released to resolve this issue. It
removes support for configuring an HTTP Proxy via an environment variable.
Impact
Attackers may be able to bypass second-factor authentication on impacted
configurations which accept attacker-controlled environment variables.
Affected Product(s)
All versions of duo_unix prior to 1.9.21 are impacted when used in one of
the following configuration scenarios:
* login_duo is performing 2FA for SSH logins, and sshd has been configured
with a permissive (non-default) AcceptEnv policy
* pam_duo is performing 2FA for scenarios other than SSH logins
Workaround
Customers using login_duo in an affected configuration may work around
this issue by ensuring that their AcceptEnv configuration for sshd
(e.g. in /etc/ssh/sshd_config) does not permit clients to send an
'http_proxy' variable.
Customers using pam_duo in an affected configuration must upgrade to the
latest version of duo_unix.
Solution
Customers should upgrade to the latest version of the duo_unix client as
discussed above. Clone the latest version from:
* https://github.com/duosecurity/duo_unix
For more information on upgrading duo_unix, see
https://duo.com/docs/duounix
Vulnerability Metrics
Vulnerability Class: CWE-454: External Initialization of Trusted Variables
or Data Stores
https://cwe.mitre.org/data/definitions/454.html
Remotely Exploitable: [No]
Authentication Required: [Partial]
Severity: [High]
CVSSv2 Overall Score: 5.0
CVSSv2 Group Scores: Base: 6.0, Temporal: 5.0
CVSSv2 Vector: AV:L/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C
References
* CWE-454: External Initialization of Trusted Variables or Data Stores -
https://cwe.mitre.org/data/definitions/454.html
* Duo Unix Reference - https://duo.com/docs/duounix
Timeline
2017-05-19
* Duo privately receives report of a security vulnerability in Duo Unix
* Duo acknowledges receipt of report and begins investigation
2017-05-22
* Duo confirms vulnerability exists in related case to original report
2017-05-30
* Duo completes development and testing of fixes
2017-05-31
* Advisory released to all Duo customers using duo_unix
Credits/Contact
Technical questions regarding this issue should be sent to
[email protected] and reference "DUO-PSA-2017-002" in the subject,
or to your Customer Success Manager, if appropriate.
Duo Security would like to thank Fred Emmott for reporting this issue.
-- System Information:
Debian Release: 8.7
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
Versions of packages libpam-duo depends on:
ii libc6 2.19-18+deb8u7
ii libduo3 1.9.18-1~sbp80+1
ii libpam-runtime 1.1.8-3.1+deb8u2
ii libpam0g 1.1.8-3.1+deb8u2
ii libssl1.0.0 1.0.1t-1+deb8u6
ii multiarch-support 2.19-18+deb8u7
libpam-duo recommends no packages.
libpam-duo suggests no packages.
-- Configuration Files:
/etc/security/pam_duo.conf [Errno 13] Permission denied:
u'/etc/security/pam_duo.conf'
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: duo-unix
Source-Version: 1.9.21-1
We believe that the bug you reported is fixed in the latest version of
duo-unix, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kees Cook <[email protected]> (supplier of updated duo-unix package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 31 May 2017 11:16:05 -0700
Source: duo-unix
Binary: libpam-duo login-duo libduo3 libduo-dev
Architecture: source amd64
Version: 1.9.21-1
Distribution: unstable
Urgency: medium
Maintainer: Kees Cook <[email protected]>
Changed-By: Kees Cook <[email protected]>
Description:
libduo-dev - Duo Security development libraries and header files
libduo3 - Duo Security library
libpam-duo - PAM module for Duo Security two-factor authentication
login-duo - login wrapper for Duo Security two-factor authentication
Closes: 863831
Changes:
duo-unix (1.9.21-1) unstable; urgency=medium
.
* New upstream release (Closes: 863831).
* patches:
- drop openssl.patch (taken upstream).
- add libduo-install.patch (revert upstream removal).
Checksums-Sha1:
6a3112493697327c0af54a6876a19ec33795159b 1956 duo-unix_1.9.21-1.dsc
d4833325edf8f40c4387c2350f6337d9a9c27e4d 470168 duo-unix_1.9.21.orig.tar.gz
d892774085815cb8404f57b1834172f37decb074 8112 duo-unix_1.9.21-1.debian.tar.xz
b42830ae93e3d73a0e1c654db080c6ba33d5c2ba 8008 duo-unix_1.9.21-1_amd64.buildinfo
96937bdd6cd3b780fc7655e9ead8a4c850bb0556 8724 libduo-dev_1.9.21-1_amd64.deb
5931fa5e19cbf4eb3ef13b08147aebc6b29bde2b 64966
libduo3-dbgsym_1.9.21-1_amd64.deb
5461a3eb0c95feac86e3f1c78d9f7175d3083805 35578 libduo3_1.9.21-1_amd64.deb
38c8282bd71a1e1e5145a6e6280ef312479c9b21 13564
libpam-duo-dbgsym_1.9.21-1_amd64.deb
a93b40f5b8ec853cf0776ee10f4e79bc660d1c44 14910 libpam-duo_1.9.21-1_amd64.deb
06c31729509d9356115f26060ae35269ddf5174a 11918
login-duo-dbgsym_1.9.21-1_amd64.deb
04034093654066884f4a48a5166cf8a62cc6e458 15870 login-duo_1.9.21-1_amd64.deb
Checksums-Sha256:
4d6c70555b88209a09977d577caf9b783ddf47e9ace029d728a6b595f630030e 1956
duo-unix_1.9.21-1.dsc
582ea3b533dea7b95c9be24c2be2e879288e2f315f956228d504b9a9315c8b50 470168
duo-unix_1.9.21.orig.tar.gz
309476c7fc813f165072d5e9abeb30d38c287985cafcedd8a3fdb7fc959be96a 8112
duo-unix_1.9.21-1.debian.tar.xz
9341d1ba8f981278200afe0cf0fc0ddafa28cba36386aa0e32db0eb346946cce 8008
duo-unix_1.9.21-1_amd64.buildinfo
f4abdbbe67b27255cac57d2fd389b4fe788af5da5d1cced8cb15c4cc0d597f85 8724
libduo-dev_1.9.21-1_amd64.deb
54936a82ac4bda57a20bca238e3f8738f4da138f0e0e43cc0cfe5ce70e6a6826 64966
libduo3-dbgsym_1.9.21-1_amd64.deb
96cc7dd9181410a2466ac324d3b1cf499b32d8df73348067edde59a156ba9258 35578
libduo3_1.9.21-1_amd64.deb
45e82385cc0876f568de9ea05abd3df62c8b01f4c0f7ce0ae6fa4cad5e515676 13564
libpam-duo-dbgsym_1.9.21-1_amd64.deb
971a51d08770f03a56f98f9a8db3b16af41378d64c561d7feb11ae4469fb591a 14910
libpam-duo_1.9.21-1_amd64.deb
6a300b9afa000bc52d3471396965516d35a5b28d47f19a7bfbac10f5a670ffcc 11918
login-duo-dbgsym_1.9.21-1_amd64.deb
69f6a9e453300d039784f27d16b906d4cf1141f23a47b6053896dc2c92475f0a 15870
login-duo_1.9.21-1_amd64.deb
Files:
1e43be21a0c41aec5f4659635d16f14f 1956 libs extra duo-unix_1.9.21-1.dsc
148e0d9c6beb8bbfe099ba85e0a0c3ce 470168 libs extra duo-unix_1.9.21.orig.tar.gz
22e1c4ffed77c114dd00d4377a37f070 8112 libs extra
duo-unix_1.9.21-1.debian.tar.xz
a363c8dbd043f9fb4efa416f36971cbb 8008 libs extra
duo-unix_1.9.21-1_amd64.buildinfo
e9eb77b77764b696689bcfe49300fc42 8724 libdevel extra
libduo-dev_1.9.21-1_amd64.deb
89894e76db8a5fba2d53a12d51de6007 64966 debug extra
libduo3-dbgsym_1.9.21-1_amd64.deb
3184cdc387f71d74e2cb2e900c61a715 35578 libs extra libduo3_1.9.21-1_amd64.deb
c2ccddd71bf60f4cfe801d644c4a3f6a 13564 debug extra
libpam-duo-dbgsym_1.9.21-1_amd64.deb
3a945088426106790680d8b2436f6e86 14910 libs extra libpam-duo_1.9.21-1_amd64.deb
70cbdf7df3eab961b011e716578495d5 11918 debug extra
login-duo-dbgsym_1.9.21-1_amd64.deb
4b67a4e70a290a7b420b6104b107eaed 15870 admin extra login-duo_1.9.21-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Kees Cook <[email protected]>
iQIcBAEBCgAGBQJZLxPtAAoJEIly9N/cbcAmnQgP/ihxKP00nxNBBnqqvgBzGvUV
TntTmoRzMgMIS4FNWecFF5kkPDG7WDScwdlHMoE1S7ScjGLupAY6WdrJ+oHuXsxm
aL8Ytn63xcV/k5X4K1pXPyRNiY15g7JXiGwy9yAJy2gOnG/6Z7IYmNsDoU0aMFb+
mbzj/ZD0rp5cIE7S5IehRaU89y+MfC8xcqxM1gdQMdAG66s9LTisETMJO/Pk2R97
P5I1IgmBJOTw/VkIDNIEtuj8I6zR4aoxef82zSDPknBS8cwhWJ0GAlGXLWD0USa8
Li15ixGEzpKwQKol1/GwyeOpeqiXFfaue5ruLfMHAyu5vKotnGdeUS0XQ4UsoLzj
fqt4V8W/A+YbIGroIcly2lBil4syv2hz4S91LTx7OcZguzhBEVdLnZBN0D4Y/XTl
5bqod2BbER9DXTCJ+FGnY/AplI53ZvN96dy6nkOd2w5VrG90hka1fqemakpS1c3F
VqbVhhh/ODf9g3YK0XY55Wcl3yImctdJQAtM41uBjHw3dEFn+uUk2Uq7W4VkzFWU
s3kZzgcVkkCIhI5LnVvKAP+NH+lCiwDWYoYZkrm+vWW3ne0T0hcUYAtyNpBSBTBQ
oZPFBG3/HEohisvcOkHi0m26aSxYF+tBbluQySMg9juXBKzuxMZQ8Bzf9I4vbWJY
di71Eh6rn6Zqszq3sYhv
=Y6pd
-----END PGP SIGNATURE-----
--- End Message ---
