Vulnerability in Duo’s Authentication Proxy Server Software

by Michael Trantas
Senior Solutions Architect

We would like to make our Duo customers aware of a recently discovered vulnerability in Duo’s Authentication Proxy server software. Under the “authproxy.cfg” configuration described below, attackers can exploit this vulnerability to bypass second factor authentication. While there is no evidence of this vulnerability being exploited in the field, Duo is advising clients to mitigate this vulnerability as soon as possible.

Within the “authproxy.cfg” file, there is an advanced configuration option called “api_timeout” that controls the number of seconds that the Authentication Proxy server waits for a response from Duo’s Auth API when a user attempts to log onto a protected application. If this timeout is reached before the Auth API has returned a response and the Authentication Proxy’s “failmode” option is set to “safe” (allowing users to access the application if Duo’s cloud servers are offline), then this could result in a bypass of second factor authentication.

Remediation for this vulnerability is easily achieved by removing the “api_timeout” item from the “authproxy.cfg” file:

  1. Open Windows Explorer and navigate to C:\Program Files (x86)\Duo Security Authentication Proxy\conf.
  2. Make a copy of the “authproxy.cfg” file as a backup.
  3. Using Notepad or Wordpad (RUN AS Administrator), open the “authproxy.cfg” file and locate the line starting with “api_timeout”.
  4. Search for “api_timeout”.  If this value is present in the file, remove it and then click FILE → SAVE. If it is not present, please continue to the section below.
  5. Click on START → RUN → type SERVICES.MSC and press ENTER.
  6. In the services console, locate the “Duo Authentication Proxy” service and right-click it.
  7. When the sub-menu appears, select STOP.
  8. Once the service has stopped, right-click the Duo Authentication Proxy Service again.
  9. When the sub-menu appears, select START.
  10. Verify that all protected applications are protected by Duo 2FA and working properly.

We are also advising all customers to take this time to upgrade to the latest version the Duo Authentication Proxy software. Please follow the instructions below to upgrade your Authentication Proxy software:

  1. On your Authentication Proxy servers open an internet browser and navigate to https://dl.duosecurity.com/duoauthproxy-latest.exe. This will automatically download the latest version of Duo’s Authentication Proxy software.
  2. Open Windows Explorer and navigate to C:\Program Files (x86)\Duo Security Authentication Proxy\conf.
  3. Make a copy of the “authproxy.cfg” file as a backup.
  4. Locate the duoauthproxy.x.xx.x.exe file you previously downloaded and double-click it to run it and install the software.
  5. Follow all prompts to install the software and click Close when done.
  6. At this point, the Duo Authentication Proxy service will be stopped on the local computer. Click on START → RUN → type SERVICES.MSC and press ENTER.
  7. In the services console, locate the “Duo Authentication Proxy” service and right-click it.
  8. When the sub-menu appears, select START.
  9. Verify that all protected applications are protected by Duo 2FA.

For more information regarding this vulnerability, please see https://help.duo.com/s/article/3341. Helient is also available to assist with this remediation as-needed.

If you would like assistance, please contact service@helient.com.