Vulnerability-Lookup

CNVD-2020-45580

Vulnerability from cnvd - Published: 2020-08-09

Title

Cisco DuoConnect身份验证漏洞

Description

Cisco DuoConnect是美国思科（Cisco）公司的一套双因素身份验证解决方案。 Cisco DuoConnect 1.1.1之前版本中存在安全漏洞，该漏洞源于当DuoConnect配置成‘http：//’时，在某些情况下，程序会将身份验证令牌通过未加密的HTTP连接发送到Duo Network Gateway (DNG)实例中。攻击者可利用该漏洞绕过DNG服务器并获取网络访问权限。

Severity

低

Patch Name

Cisco DuoConnect身份验证漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://duo.com/labs/psa/duo-psa-2020-003

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-3442

Impacted products

Name
Cisco Cisco DuoConnect <1.1.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-3442",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-3442"
    }
  },
  "description": "Cisco DuoConnect\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u5957\u53cc\u56e0\u7d20\u8eab\u4efd\u9a8c\u8bc1\u89e3\u51b3\u65b9\u6848\u3002\n\nCisco DuoConnect 1.1.1\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5f53DuoConnect\u914d\u7f6e\u6210\u2018http\uff1a//\u2019\u65f6\uff0c\u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\uff0c\u7a0b\u5e8f\u4f1a\u5c06\u8eab\u4efd\u9a8c\u8bc1\u4ee4\u724c\u901a\u8fc7\u672a\u52a0\u5bc6\u7684HTTP\u8fde\u63a5\u53d1\u9001\u5230Duo Network Gateway (DNG)\u5b9e\u4f8b\u4e2d\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7DNG\u670d\u52a1\u5668\u5e76\u83b7\u53d6\u7f51\u7edc\u8bbf\u95ee\u6743\u9650\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://duo.com/labs/psa/duo-psa-2020-003",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-45580",
  "openTime": "2020-08-09",
  "patchDescription": "Cisco DuoConnect\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u5957\u53cc\u56e0\u7d20\u8eab\u4efd\u9a8c\u8bc1\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nCisco DuoConnect 1.1.1\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5f53DuoConnect\u914d\u7f6e\u6210\u2018http\uff1a//\u2019\u65f6\uff0c\u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\uff0c\u7a0b\u5e8f\u4f1a\u5c06\u8eab\u4efd\u9a8c\u8bc1\u4ee4\u724c\u901a\u8fc7\u672a\u52a0\u5bc6\u7684HTTP\u8fde\u63a5\u53d1\u9001\u5230Duo Network Gateway (DNG)\u5b9e\u4f8b\u4e2d\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7DNG\u670d\u52a1\u5668\u5e76\u83b7\u53d6\u7f51\u7edc\u8bbf\u95ee\u6743\u9650\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Cisco DuoConnect\u8eab\u4efd\u9a8c\u8bc1\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Cisco Cisco DuoConnect \u003c1.1.1"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-3442",
  "serverity": "\u4f4e",
  "submitTime": "2020-07-21",
  "title": "Cisco DuoConnect\u8eab\u4efd\u9a8c\u8bc1\u6f0f\u6d1e"
}

CVE-2020-3442 (GCVE-0-2020-3442)

Vulnerability from cvelistv5 – Published: 2020-07-20 20:45 – Updated: 2024-11-13 18:18

Title

DuoConnect SSH Connection Vulnerability

Summary

The DuoConnect client enables users to establish SSH connections to hosts protected by a DNG instance. When a user initiates an SSH connection to a DNG-protected host for the first time using DuoConnect, the user’s browser is opened to a login screen in order to complete authentication determined by the contents of the '-relay' argument. If the ‘-relay’ is set to a URL beginning with "http://", then the browser will initially attempt to load the URL over an insecure HTTP connection, before being immediately redirected to HTTPS (in addition to standard redirect mechanisms, the DNG uses HTTP Strict Transport Security headers to enforce this). After successfully authenticating to a DNG, DuoConnect stores an authentication token in a local system cache, so users do not have to complete this browser-based authentication workflow for every subsequent SSH connection. These tokens are valid for a configurable period of time, which defaults to 8 hours. If a user running DuoConnect already has a valid token, then instead of opening a web browser, DuoConnect directly contacts the DNG, again using the configured '-relay' value, and sends this token, as well as the intended SSH server hostname and port numbers. If the '-relay' argument begins with "http://", then this request will be sent over an insecure connection, and could be exposed to an attacker who is sniffing the traffic on the same network. The DNG authentication tokens that may be exposed during SSH relay may be used to gain network-level access to the servers and ports protected by that given relay host. The DNG provides network-level access only to the protected SSH servers. It does not interact with the independent SSH authentication and encryption. An attacker cannot use a stolen token on its own to authenticate against a DNG-protected SSH server.

Severity ?

4.8 (Medium)


                        
                          CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE

CWE-319 - Cleartext Transmission of Sensitive Information

Assigner

cisco

References

URL

Tags

https://duo.com/labs/psa/duo-psa-2020-003

vendor-advisoryx_refsource_CISCO

Impacted products

	Vendor	Product	Version
	Cisco	DUO Connect	Affected: unspecified , < 1.1.1 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T07:37:54.411Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "DuoConnect SSH Connection Vulnerability",
            "tags": [
              "vendor-advisory",
              "x_refsource_CISCO",
              "x_transferred"
            ],
            "url": "https://duo.com/labs/psa/duo-psa-2020-003"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2020-3442",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-13T17:25:08.998643Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-13T18:18:39.826Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "DUO Connect",
          "vendor": "Cisco",
          "versions": [
            {
              "lessThan": "1.1.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2020-07-15T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The DuoConnect client enables users to establish SSH connections to hosts protected by a DNG instance. When a user initiates an SSH connection to a DNG-protected host for the first time using DuoConnect, the user\u2019s browser is opened to a login screen in order to complete authentication determined by the contents of the \u0027-relay\u0027 argument. If the \u2018-relay\u2019 is set to a URL beginning with \"http://\", then the browser will initially attempt to load the URL over an insecure HTTP connection, before being immediately redirected to HTTPS (in addition to standard redirect mechanisms, the DNG uses HTTP Strict Transport Security headers to enforce this). After successfully authenticating to a DNG, DuoConnect stores an authentication token in a local system cache, so users do not have to complete this browser-based authentication workflow for every subsequent SSH connection. These tokens are valid for a configurable period of time, which defaults to 8 hours. If a user running DuoConnect already has a valid token, then instead of opening a web browser, DuoConnect directly contacts the DNG, again using the configured \u0027-relay\u0027 value, and sends this token, as well as the intended SSH server hostname and port numbers. If the \u0027-relay\u0027 argument begins with \"http://\", then this request will be sent over an insecure connection, and could be exposed to an attacker who is sniffing the traffic on the same network. The DNG authentication tokens that may be exposed during SSH relay may be used to gain network-level access to the servers and ports protected by that given relay host. The DNG provides network-level access only to the protected SSH servers. It does not interact with the independent SSH authentication and encryption. An attacker cannot use a stolen token on its own to authenticate against a DNG-protected SSH server."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-319",
              "description": "CWE-319 Cleartext Transmission of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-07-20T20:45:17",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "DuoConnect SSH Connection Vulnerability",
          "tags": [
            "vendor-advisory",
            "x_refsource_CISCO"
          ],
          "url": "https://duo.com/labs/psa/duo-psa-2020-003"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "The Duo Product team has fixed the issue by updating DuoConnect to version 1.1.1, which rejects relay configurations that do not specify an HTTPS-based relay.\n\nA DNG instance will automatically instruct users to install the latest version of DuoConnect. Duo administrators do not need to perform any manual updates unless their DNG is not able to connect to the internet to download the new version of the software. In that case, administrators should instruct end-users to download the latest DuoConnect version directly using the links below.\n\nSteps required for end-user remediation:\n\nUpdate DuoConnect:\nEnd-users will need to update DuoConnect once prompted to do so by the DNG (users will be prompted to upgrade DuoConnect during authentication in their browser from July 7, 2020 onwards).\nThe updated version of DuoConnect can alternatively be downloaded directly from the following locations at any time: Windows - https://dl.duosecurity.com/DuoConnect-1.1.1.msi\nmacOS - https://dl.duosecurity.com/DuoConnect-1.1.1.pkg\nLinux - https://dl.duosecurity.com/DuoConnect-1.1.1.tar.gz\nThe signature of DuoConnect installer files can be verified at https://duo.com/docs/checksums.\n\nEnd-users will need to update their DuoConnect SSH configuration if they receive the error message shown below:\n\nError: Invalid URL: relay scheme http://server-ssh.example.com invalid: must be https\n\nUpdate the SSH configuration: Locate the http relay in the SSH configuration e.g. \u201cProxyCommand duoconnect -host=%h:%p -relay=http://server-ssh.example.com\u201d Ensure the relay uses \u2018https://\u2019, and not \u2018http://\u2019\n\nThe SSH configuration for *nix and macOS operating systems can be located at ~/.ssh/config. The SSH configuration for Windows operating systems can most commonly be found in the user directory C:\\Users\\username.ssh.\n\nAdditionally, you can refer to the \u201cConfigure SSH\u201d section in the DuoConnect guide to learn more about steps for SSH configuration should you need further guidance."
        }
      ],
      "source": {
        "advisory": "DUO-PSA-2020-003",
        "defect": [
          "DUO-PSA-2020-003"
        ],
        "discovery": "INTERNAL"
      },
      "title": "DuoConnect SSH Connection Vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "DATE_PUBLIC": "2020-07-15T20:00:00.000Z",
          "ID": "CVE-2020-3442",
          "STATE": "PUBLIC",
          "TITLE": "DuoConnect SSH Connection Vulnerability"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "DUO Connect",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "1.1.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Cisco"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The DuoConnect client enables users to establish SSH connections to hosts protected by a DNG instance. When a user initiates an SSH connection to a DNG-protected host for the first time using DuoConnect, the user\u2019s browser is opened to a login screen in order to complete authentication determined by the contents of the \u0027-relay\u0027 argument. If the \u2018-relay\u2019 is set to a URL beginning with \"http://\", then the browser will initially attempt to load the URL over an insecure HTTP connection, before being immediately redirected to HTTPS (in addition to standard redirect mechanisms, the DNG uses HTTP Strict Transport Security headers to enforce this). After successfully authenticating to a DNG, DuoConnect stores an authentication token in a local system cache, so users do not have to complete this browser-based authentication workflow for every subsequent SSH connection. These tokens are valid for a configurable period of time, which defaults to 8 hours. If a user running DuoConnect already has a valid token, then instead of opening a web browser, DuoConnect directly contacts the DNG, again using the configured \u0027-relay\u0027 value, and sends this token, as well as the intended SSH server hostname and port numbers. If the \u0027-relay\u0027 argument begins with \"http://\", then this request will be sent over an insecure connection, and could be exposed to an attacker who is sniffing the traffic on the same network. The DNG authentication tokens that may be exposed during SSH relay may be used to gain network-level access to the servers and ports protected by that given relay host. The DNG provides network-level access only to the protected SSH servers. It does not interact with the independent SSH authentication and encryption. An attacker cannot use a stolen token on its own to authenticate against a DNG-protected SSH server."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-319 Cleartext Transmission of Sensitive Information"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "DuoConnect SSH Connection Vulnerability",
              "refsource": "CISCO",
              "url": "https://duo.com/labs/psa/duo-psa-2020-003"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "The Duo Product team has fixed the issue by updating DuoConnect to version 1.1.1, which rejects relay configurations that do not specify an HTTPS-based relay.\n\nA DNG instance will automatically instruct users to install the latest version of DuoConnect. Duo administrators do not need to perform any manual updates unless their DNG is not able to connect to the internet to download the new version of the software. In that case, administrators should instruct end-users to download the latest DuoConnect version directly using the links below.\n\nSteps required for end-user remediation:\n\nUpdate DuoConnect:\nEnd-users will need to update DuoConnect once prompted to do so by the DNG (users will be prompted to upgrade DuoConnect during authentication in their browser from July 7, 2020 onwards).\nThe updated version of DuoConnect can alternatively be downloaded directly from the following locations at any time: Windows - https://dl.duosecurity.com/DuoConnect-1.1.1.msi\nmacOS - https://dl.duosecurity.com/DuoConnect-1.1.1.pkg\nLinux - https://dl.duosecurity.com/DuoConnect-1.1.1.tar.gz\nThe signature of DuoConnect installer files can be verified at https://duo.com/docs/checksums.\n\nEnd-users will need to update their DuoConnect SSH configuration if they receive the error message shown below:\n\nError: Invalid URL: relay scheme http://server-ssh.example.com invalid: must be https\n\nUpdate the SSH configuration: Locate the http relay in the SSH configuration e.g. \u201cProxyCommand duoconnect -host=%h:%p -relay=http://server-ssh.example.com\u201d Ensure the relay uses \u2018https://\u2019, and not \u2018http://\u2019\n\nThe SSH configuration for *nix and macOS operating systems can be located at ~/.ssh/config. The SSH configuration for Windows operating systems can most commonly be found in the user directory C:\\Users\\username.ssh.\n\nAdditionally, you can refer to the \u201cConfigure SSH\u201d section in the DuoConnect guide to learn more about steps for SSH configuration should you need further guidance."
          }
        ],
        "source": {
          "advisory": "DUO-PSA-2020-003",
          "defect": [
            "DUO-PSA-2020-003"
          ],
          "discovery": "INTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2020-3442",
    "datePublished": "2020-07-20T20:45:17.962522Z",
    "dateReserved": "2019-12-12T00:00:00",
    "dateUpdated": "2024-11-13T18:18:39.826Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-45580

CVE-2020-3442 (GCVE-0-2020-3442)

Tags

Sightings

Nomenclature