CVE-2020-3442 (GCVE-0-2020-3442)

Vulnerability from cvelistv5 – Published: 2020-07-20 20:45 – Updated: 2024-11-13 18:18
VLAI?
Title
DuoConnect SSH Connection Vulnerability
Summary
The DuoConnect client enables users to establish SSH connections to hosts protected by a DNG instance. When a user initiates an SSH connection to a DNG-protected host for the first time using DuoConnect, the user’s browser is opened to a login screen in order to complete authentication determined by the contents of the '-relay' argument. If the ‘-relay’ is set to a URL beginning with "http://", then the browser will initially attempt to load the URL over an insecure HTTP connection, before being immediately redirected to HTTPS (in addition to standard redirect mechanisms, the DNG uses HTTP Strict Transport Security headers to enforce this). After successfully authenticating to a DNG, DuoConnect stores an authentication token in a local system cache, so users do not have to complete this browser-based authentication workflow for every subsequent SSH connection. These tokens are valid for a configurable period of time, which defaults to 8 hours. If a user running DuoConnect already has a valid token, then instead of opening a web browser, DuoConnect directly contacts the DNG, again using the configured '-relay' value, and sends this token, as well as the intended SSH server hostname and port numbers. If the '-relay' argument begins with "http://", then this request will be sent over an insecure connection, and could be exposed to an attacker who is sniffing the traffic on the same network. The DNG authentication tokens that may be exposed during SSH relay may be used to gain network-level access to the servers and ports protected by that given relay host. The DNG provides network-level access only to the protected SSH servers. It does not interact with the independent SSH authentication and encryption. An attacker cannot use a stolen token on its own to authenticate against a DNG-protected SSH server.
Severity ?
4.8 (Medium)
CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE
  • CWE-319 - Cleartext Transmission of Sensitive Information
Assigner
References
https://duo.com/labs/psa/duo-psa-2020-003 vendor-advisoryx_refsource_CISCO
Impacted products
Vendor Product Version
Cisco DUO Connect Affected: unspecified , < 1.1.1 (custom)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T07:37:54.411Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "DuoConnect SSH Connection Vulnerability",
            "tags": [
              "vendor-advisory",
              "x_refsource_CISCO",
              "x_transferred"
            ],
            "url": "https://duo.com/labs/psa/duo-psa-2020-003"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2020-3442",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-13T17:25:08.998643Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-13T18:18:39.826Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "DUO Connect",
          "vendor": "Cisco",
          "versions": [
            {
              "lessThan": "1.1.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2020-07-15T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The DuoConnect client enables users to establish SSH connections to hosts protected by a DNG instance. When a user initiates an SSH connection to a DNG-protected host for the first time using DuoConnect, the user\u2019s browser is opened to a login screen in order to complete authentication determined by the contents of the \u0027-relay\u0027 argument. If the \u2018-relay\u2019 is set to a URL beginning with \"http://\", then the browser will initially attempt to load the URL over an insecure HTTP connection, before being immediately redirected to HTTPS (in addition to standard redirect mechanisms, the DNG uses HTTP Strict Transport Security headers to enforce this). After successfully authenticating to a DNG, DuoConnect stores an authentication token in a local system cache, so users do not have to complete this browser-based authentication workflow for every subsequent SSH connection. These tokens are valid for a configurable period of time, which defaults to 8 hours. If a user running DuoConnect already has a valid token, then instead of opening a web browser, DuoConnect directly contacts the DNG, again using the configured \u0027-relay\u0027 value, and sends this token, as well as the intended SSH server hostname and port numbers. If the \u0027-relay\u0027 argument begins with \"http://\", then this request will be sent over an insecure connection, and could be exposed to an attacker who is sniffing the traffic on the same network. The DNG authentication tokens that may be exposed during SSH relay may be used to gain network-level access to the servers and ports protected by that given relay host. The DNG provides network-level access only to the protected SSH servers. It does not interact with the independent SSH authentication and encryption. An attacker cannot use a stolen token on its own to authenticate against a DNG-protected SSH server."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-319",
              "description": "CWE-319 Cleartext Transmission of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-07-20T20:45:17",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "DuoConnect SSH Connection Vulnerability",
          "tags": [
            "vendor-advisory",
            "x_refsource_CISCO"
          ],
          "url": "https://duo.com/labs/psa/duo-psa-2020-003"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "The Duo Product team has fixed the issue by updating DuoConnect to version 1.1.1, which rejects relay configurations that do not specify an HTTPS-based relay.\n\nA DNG instance will automatically instruct users to install the latest version of DuoConnect. Duo administrators do not need to perform any manual updates unless their DNG is not able to connect to the internet to download the new version of the software. In that case, administrators should instruct end-users to download the latest DuoConnect version directly using the links below.\n\nSteps required for end-user remediation:\n\nUpdate DuoConnect:\nEnd-users will need to update DuoConnect once prompted to do so by the DNG (users will be prompted to upgrade DuoConnect during authentication in their browser from July 7, 2020 onwards).\nThe updated version of DuoConnect can alternatively be downloaded directly from the following locations at any time: Windows - https://dl.duosecurity.com/DuoConnect-1.1.1.msi\nmacOS - https://dl.duosecurity.com/DuoConnect-1.1.1.pkg\nLinux - https://dl.duosecurity.com/DuoConnect-1.1.1.tar.gz\nThe signature of DuoConnect installer files can be verified at https://duo.com/docs/checksums.\n\nEnd-users will need to update their DuoConnect SSH configuration if they receive the error message shown below:\n\nError: Invalid URL: relay scheme http://server-ssh.example.com invalid: must be https\n\nUpdate the SSH configuration: Locate the http relay in the SSH configuration e.g. \u201cProxyCommand duoconnect -host=%h:%p -relay=http://server-ssh.example.com\u201d Ensure the relay uses \u2018https://\u2019, and not \u2018http://\u2019\n\nThe SSH configuration for *nix and macOS operating systems can be located at ~/.ssh/config. The SSH configuration for Windows operating systems can most commonly be found in the user directory C:\\Users\\username.ssh.\n\nAdditionally, you can refer to the \u201cConfigure SSH\u201d section in the DuoConnect guide to learn more about steps for SSH configuration should you need further guidance."
        }
      ],
      "source": {
        "advisory": "DUO-PSA-2020-003",
        "defect": [
          "DUO-PSA-2020-003"
        ],
        "discovery": "INTERNAL"
      },
      "title": "DuoConnect SSH Connection Vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "DATE_PUBLIC": "2020-07-15T20:00:00.000Z",
          "ID": "CVE-2020-3442",
          "STATE": "PUBLIC",
          "TITLE": "DuoConnect SSH Connection Vulnerability"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "DUO Connect",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "1.1.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Cisco"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The DuoConnect client enables users to establish SSH connections to hosts protected by a DNG instance. When a user initiates an SSH connection to a DNG-protected host for the first time using DuoConnect, the user\u2019s browser is opened to a login screen in order to complete authentication determined by the contents of the \u0027-relay\u0027 argument. If the \u2018-relay\u2019 is set to a URL beginning with \"http://\", then the browser will initially attempt to load the URL over an insecure HTTP connection, before being immediately redirected to HTTPS (in addition to standard redirect mechanisms, the DNG uses HTTP Strict Transport Security headers to enforce this). After successfully authenticating to a DNG, DuoConnect stores an authentication token in a local system cache, so users do not have to complete this browser-based authentication workflow for every subsequent SSH connection. These tokens are valid for a configurable period of time, which defaults to 8 hours. If a user running DuoConnect already has a valid token, then instead of opening a web browser, DuoConnect directly contacts the DNG, again using the configured \u0027-relay\u0027 value, and sends this token, as well as the intended SSH server hostname and port numbers. If the \u0027-relay\u0027 argument begins with \"http://\", then this request will be sent over an insecure connection, and could be exposed to an attacker who is sniffing the traffic on the same network. The DNG authentication tokens that may be exposed during SSH relay may be used to gain network-level access to the servers and ports protected by that given relay host. The DNG provides network-level access only to the protected SSH servers. It does not interact with the independent SSH authentication and encryption. An attacker cannot use a stolen token on its own to authenticate against a DNG-protected SSH server."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-319 Cleartext Transmission of Sensitive Information"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "DuoConnect SSH Connection Vulnerability",
              "refsource": "CISCO",
              "url": "https://duo.com/labs/psa/duo-psa-2020-003"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "The Duo Product team has fixed the issue by updating DuoConnect to version 1.1.1, which rejects relay configurations that do not specify an HTTPS-based relay.\n\nA DNG instance will automatically instruct users to install the latest version of DuoConnect. Duo administrators do not need to perform any manual updates unless their DNG is not able to connect to the internet to download the new version of the software. In that case, administrators should instruct end-users to download the latest DuoConnect version directly using the links below.\n\nSteps required for end-user remediation:\n\nUpdate DuoConnect:\nEnd-users will need to update DuoConnect once prompted to do so by the DNG (users will be prompted to upgrade DuoConnect during authentication in their browser from July 7, 2020 onwards).\nThe updated version of DuoConnect can alternatively be downloaded directly from the following locations at any time: Windows - https://dl.duosecurity.com/DuoConnect-1.1.1.msi\nmacOS - https://dl.duosecurity.com/DuoConnect-1.1.1.pkg\nLinux - https://dl.duosecurity.com/DuoConnect-1.1.1.tar.gz\nThe signature of DuoConnect installer files can be verified at https://duo.com/docs/checksums.\n\nEnd-users will need to update their DuoConnect SSH configuration if they receive the error message shown below:\n\nError: Invalid URL: relay scheme http://server-ssh.example.com invalid: must be https\n\nUpdate the SSH configuration: Locate the http relay in the SSH configuration e.g. \u201cProxyCommand duoconnect -host=%h:%p -relay=http://server-ssh.example.com\u201d Ensure the relay uses \u2018https://\u2019, and not \u2018http://\u2019\n\nThe SSH configuration for *nix and macOS operating systems can be located at ~/.ssh/config. The SSH configuration for Windows operating systems can most commonly be found in the user directory C:\\Users\\username.ssh.\n\nAdditionally, you can refer to the \u201cConfigure SSH\u201d section in the DuoConnect guide to learn more about steps for SSH configuration should you need further guidance."
          }
        ],
        "source": {
          "advisory": "DUO-PSA-2020-003",
          "defect": [
            "DUO-PSA-2020-003"
          ],
          "discovery": "INTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2020-3442",
    "datePublished": "2020-07-20T20:45:17.962522Z",
    "dateReserved": "2019-12-12T00:00:00",
    "dateUpdated": "2024-11-13T18:18:39.826Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:duo:duoconnect:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.1.1\", \"matchCriteriaId\": \"B9DC9EC6-89ED-49E3-A675-0DC8F91CD406\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The DuoConnect client enables users to establish SSH connections to hosts protected by a DNG instance. When a user initiates an SSH connection to a DNG-protected host for the first time using DuoConnect, the user\\u2019s browser is opened to a login screen in order to complete authentication determined by the contents of the \u0027-relay\u0027 argument. If the \\u2018-relay\\u2019 is set to a URL beginning with \\\"http://\\\", then the browser will initially attempt to load the URL over an insecure HTTP connection, before being immediately redirected to HTTPS (in addition to standard redirect mechanisms, the DNG uses HTTP Strict Transport Security headers to enforce this). After successfully authenticating to a DNG, DuoConnect stores an authentication token in a local system cache, so users do not have to complete this browser-based authentication workflow for every subsequent SSH connection. These tokens are valid for a configurable period of time, which defaults to 8 hours. If a user running DuoConnect already has a valid token, then instead of opening a web browser, DuoConnect directly contacts the DNG, again using the configured \u0027-relay\u0027 value, and sends this token, as well as the intended SSH server hostname and port numbers. If the \u0027-relay\u0027 argument begins with \\\"http://\\\", then this request will be sent over an insecure connection, and could be exposed to an attacker who is sniffing the traffic on the same network. The DNG authentication tokens that may be exposed during SSH relay may be used to gain network-level access to the servers and ports protected by that given relay host. The DNG provides network-level access only to the protected SSH servers. It does not interact with the independent SSH authentication and encryption. An attacker cannot use a stolen token on its own to authenticate against a DNG-protected SSH server.\"}, {\"lang\": \"es\", \"value\": \"El cliente DuoConnect permite a los usuarios establecer conexiones SSH con hosts protegidos por una instancia DNG. Cuando un usuario inicia una conexi\\u00f3n SSH con un host protegido por DNG por primera vez usando DuoConnect, el navegador del usuario es abierto en una pantalla de inicio de sesi\\u00f3n para completar la autenticaci\\u00f3n determinada por el contenido del argumento \\\"-relay\\\". Si el \\\"-relay\\\" est\\u00e1 configurado en una URL que comienza con \\\"http://\\\", el navegador intentar\\u00e1 inicialmente cargar la URL por medio de una conexi\\u00f3n HTTP no segura, antes de ser redireccionado inmediatamente a HTTPS (adem\\u00e1s en mecanismos de redireccionamiento est\\u00e1ndar, el DNG utiliza encabezados HTTP Strict Transport Security para aplicar esto). Despu\\u00e9s de autenticarse con \\u00e9xito en un DNG, DuoConnect almacena un token de autenticaci\\u00f3n en una memoria cach\\u00e9 del sistema local, por lo que los usuarios no tienen que completar este flujo de trabajo de autenticaci\\u00f3n basado en el navegador para cada conexi\\u00f3n SSH posterior. Estos tokens son v\\u00e1lidos por un per\\u00edodo de tiempo configurable, que por defecto es de 8 horas. Si un usuario que ejecuta DuoConnect ya tiene un token v\\u00e1lido, entonces, en lugar de abrir un navegador web, DuoConnect contacta directamente con el DNG, nuevamente utilizando el valor \\\"-relay\\\" configurado, y env\\u00eda este token, as\\u00ed como el nombre de host y los n\\u00fameros de puerto del servidor SSH previsto. Si el argumento \\\"-relay\\\" comienza con \\\"http://\\\", esta petici\\u00f3n se enviar\\u00e1 a trav\\u00e9s de una conexi\\u00f3n no segura y podr\\u00eda ser expuesta a un atacante que est\\u00e1 rastreando el tr\\u00e1fico en la misma red. Los tokens de autenticaci\\u00f3n DNG que pueden estar expuestos durante la retransmisi\\u00f3n SSH pueden ser usados para obtener acceso a nivel de red a los servidores y puertos protegidos por ese host de retransmisi\\u00f3n dado. El DNG proporciona acceso al nivel de red solo a los servidores SSH protegidos. No interact\\u00faa con la autenticaci\\u00f3n y el cifrado SSH independiente. Un atacante no puede utilizar un token robado por s\\u00ed mismo para autenticarse contra un servidor SSH protegido con DNG\"}]",
      "id": "CVE-2020-3442",
      "lastModified": "2024-11-21T05:31:04.563",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"ykramarz@cisco.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N\", \"baseScore\": 4.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"ADJACENT_NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\", \"baseScore\": 5.7, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"ADJACENT_NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.1, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:A/AC:M/Au:N/C:P/I:N/A:N\", \"baseScore\": 2.9, \"accessVector\": \"ADJACENT_NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 5.5, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2020-07-20T21:15:12.657",
      "references": "[{\"url\": \"https://duo.com/labs/psa/duo-psa-2020-003\", \"source\": \"ykramarz@cisco.com\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://duo.com/labs/psa/duo-psa-2020-003\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "ykramarz@cisco.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"ykramarz@cisco.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-319\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-319\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-3442\",\"sourceIdentifier\":\"psirt@cisco.com\",\"published\":\"2020-07-20T21:15:12.657\",\"lastModified\":\"2024-11-21T05:31:04.563\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The DuoConnect client enables users to establish SSH connections to hosts protected by a DNG instance. When a user initiates an SSH connection to a DNG-protected host for the first time using DuoConnect, the user\u2019s browser is opened to a login screen in order to complete authentication determined by the contents of the \u0027-relay\u0027 argument. If the \u2018-relay\u2019 is set to a URL beginning with \\\"http://\\\", then the browser will initially attempt to load the URL over an insecure HTTP connection, before being immediately redirected to HTTPS (in addition to standard redirect mechanisms, the DNG uses HTTP Strict Transport Security headers to enforce this). After successfully authenticating to a DNG, DuoConnect stores an authentication token in a local system cache, so users do not have to complete this browser-based authentication workflow for every subsequent SSH connection. These tokens are valid for a configurable period of time, which defaults to 8 hours. If a user running DuoConnect already has a valid token, then instead of opening a web browser, DuoConnect directly contacts the DNG, again using the configured \u0027-relay\u0027 value, and sends this token, as well as the intended SSH server hostname and port numbers. If the \u0027-relay\u0027 argument begins with \\\"http://\\\", then this request will be sent over an insecure connection, and could be exposed to an attacker who is sniffing the traffic on the same network. The DNG authentication tokens that may be exposed during SSH relay may be used to gain network-level access to the servers and ports protected by that given relay host. The DNG provides network-level access only to the protected SSH servers. It does not interact with the independent SSH authentication and encryption. An attacker cannot use a stolen token on its own to authenticate against a DNG-protected SSH server.\"},{\"lang\":\"es\",\"value\":\"El cliente DuoConnect permite a los usuarios establecer conexiones SSH con hosts protegidos por una instancia DNG. Cuando un usuario inicia una conexi\u00f3n SSH con un host protegido por DNG por primera vez usando DuoConnect, el navegador del usuario es abierto en una pantalla de inicio de sesi\u00f3n para completar la autenticaci\u00f3n determinada por el contenido del argumento \\\"-relay\\\". Si el \\\"-relay\\\" est\u00e1 configurado en una URL que comienza con \\\"http://\\\", el navegador intentar\u00e1 inicialmente cargar la URL por medio de una conexi\u00f3n HTTP no segura, antes de ser redireccionado inmediatamente a HTTPS (adem\u00e1s en mecanismos de redireccionamiento est\u00e1ndar, el DNG utiliza encabezados HTTP Strict Transport Security para aplicar esto). Despu\u00e9s de autenticarse con \u00e9xito en un DNG, DuoConnect almacena un token de autenticaci\u00f3n en una memoria cach\u00e9 del sistema local, por lo que los usuarios no tienen que completar este flujo de trabajo de autenticaci\u00f3n basado en el navegador para cada conexi\u00f3n SSH posterior. Estos tokens son v\u00e1lidos por un per\u00edodo de tiempo configurable, que por defecto es de 8 horas. Si un usuario que ejecuta DuoConnect ya tiene un token v\u00e1lido, entonces, en lugar de abrir un navegador web, DuoConnect contacta directamente con el DNG, nuevamente utilizando el valor \\\"-relay\\\" configurado, y env\u00eda este token, as\u00ed como el nombre de host y los n\u00fameros de puerto del servidor SSH previsto. Si el argumento \\\"-relay\\\" comienza con \\\"http://\\\", esta petici\u00f3n se enviar\u00e1 a trav\u00e9s de una conexi\u00f3n no segura y podr\u00eda ser expuesta a un atacante que est\u00e1 rastreando el tr\u00e1fico en la misma red. Los tokens de autenticaci\u00f3n DNG que pueden estar expuestos durante la retransmisi\u00f3n SSH pueden ser usados para obtener acceso a nivel de red a los servidores y puertos protegidos por ese host de retransmisi\u00f3n dado. El DNG proporciona acceso al nivel de red solo a los servidores SSH protegidos. No interact\u00faa con la autenticaci\u00f3n y el cifrado SSH independiente. Un atacante no puede utilizar un token robado por s\u00ed mismo para autenticarse contra un servidor SSH protegido con DNG\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@cisco.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\",\"baseScore\":5.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:A/AC:M/Au:N/C:P/I:N/A:N\",\"baseScore\":2.9,\"accessVector\":\"ADJACENT_NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":5.5,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"psirt@cisco.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-319\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-319\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:duo:duoconnect:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.1.1\",\"matchCriteriaId\":\"B9DC9EC6-89ED-49E3-A675-0DC8F91CD406\"}]}]}],\"references\":[{\"url\":\"https://duo.com/labs/psa/duo-psa-2020-003\",\"source\":\"psirt@cisco.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://duo.com/labs/psa/duo-psa-2020-003\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://duo.com/labs/psa/duo-psa-2020-003\", \"name\": \"DuoConnect SSH Connection Vulnerability\", \"tags\": [\"vendor-advisory\", \"x_refsource_CISCO\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T07:37:54.411Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2020-3442\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-13T17:25:08.998643Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-13T17:28:47.752Z\"}}], \"cna\": {\"title\": \"DuoConnect SSH Connection Vulnerability\", \"source\": {\"defect\": [\"DUO-PSA-2020-003\"], \"advisory\": \"DUO-PSA-2020-003\", \"discovery\": \"INTERNAL\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.8, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Cisco\", \"product\": \"DUO Connect\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"1.1.1\", \"versionType\": \"custom\"}]}], \"solutions\": [{\"lang\": \"en\", \"value\": \"The Duo Product team has fixed the issue by updating DuoConnect to version 1.1.1, which rejects relay configurations that do not specify an HTTPS-based relay.\\n\\nA DNG instance will automatically instruct users to install the latest version of DuoConnect. Duo administrators do not need to perform any manual updates unless their DNG is not able to connect to the internet to download the new version of the software. In that case, administrators should instruct end-users to download the latest DuoConnect version directly using the links below.\\n\\nSteps required for end-user remediation:\\n\\nUpdate DuoConnect:\\nEnd-users will need to update DuoConnect once prompted to do so by the DNG (users will be prompted to upgrade DuoConnect during authentication in their browser from July 7, 2020 onwards).\\nThe updated version of DuoConnect can alternatively be downloaded directly from the following locations at any time: Windows - https://dl.duosecurity.com/DuoConnect-1.1.1.msi\\nmacOS - https://dl.duosecurity.com/DuoConnect-1.1.1.pkg\\nLinux - https://dl.duosecurity.com/DuoConnect-1.1.1.tar.gz\\nThe signature of DuoConnect installer files can be verified at https://duo.com/docs/checksums.\\n\\nEnd-users will need to update their DuoConnect SSH configuration if they receive the error message shown below:\\n\\nError: Invalid URL: relay scheme http://server-ssh.example.com invalid: must be https\\n\\nUpdate the SSH configuration: Locate the http relay in the SSH configuration e.g. \\u201cProxyCommand duoconnect -host=%h:%p -relay=http://server-ssh.example.com\\u201d Ensure the relay uses \\u2018https://\\u2019, and not \\u2018http://\\u2019\\n\\nThe SSH configuration for *nix and macOS operating systems can be located at ~/.ssh/config. The SSH configuration for Windows operating systems can most commonly be found in the user directory C:\\\\Users\\\\username.ssh.\\n\\nAdditionally, you can refer to the \\u201cConfigure SSH\\u201d section in the DuoConnect guide to learn more about steps for SSH configuration should you need further guidance.\"}], \"datePublic\": \"2020-07-15T00:00:00\", \"references\": [{\"url\": \"https://duo.com/labs/psa/duo-psa-2020-003\", \"name\": \"DuoConnect SSH Connection Vulnerability\", \"tags\": [\"vendor-advisory\", \"x_refsource_CISCO\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The DuoConnect client enables users to establish SSH connections to hosts protected by a DNG instance. When a user initiates an SSH connection to a DNG-protected host for the first time using DuoConnect, the user\\u2019s browser is opened to a login screen in order to complete authentication determined by the contents of the \u0027-relay\u0027 argument. If the \\u2018-relay\\u2019 is set to a URL beginning with \\\"http://\\\", then the browser will initially attempt to load the URL over an insecure HTTP connection, before being immediately redirected to HTTPS (in addition to standard redirect mechanisms, the DNG uses HTTP Strict Transport Security headers to enforce this). After successfully authenticating to a DNG, DuoConnect stores an authentication token in a local system cache, so users do not have to complete this browser-based authentication workflow for every subsequent SSH connection. These tokens are valid for a configurable period of time, which defaults to 8 hours. If a user running DuoConnect already has a valid token, then instead of opening a web browser, DuoConnect directly contacts the DNG, again using the configured \u0027-relay\u0027 value, and sends this token, as well as the intended SSH server hostname and port numbers. If the \u0027-relay\u0027 argument begins with \\\"http://\\\", then this request will be sent over an insecure connection, and could be exposed to an attacker who is sniffing the traffic on the same network. The DNG authentication tokens that may be exposed during SSH relay may be used to gain network-level access to the servers and ports protected by that given relay host. The DNG provides network-level access only to the protected SSH servers. It does not interact with the independent SSH authentication and encryption. An attacker cannot use a stolen token on its own to authenticate against a DNG-protected SSH server.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-319\", \"description\": \"CWE-319 Cleartext Transmission of Sensitive Information\"}]}], \"providerMetadata\": {\"orgId\": \"d1c1063e-7a18-46af-9102-31f8928bc633\", \"shortName\": \"cisco\", \"dateUpdated\": \"2020-07-20T20:45:17\"}, \"x_legacyV4Record\": {\"impact\": {\"cvss\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.8, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, \"source\": {\"defect\": [\"DUO-PSA-2020-003\"], \"advisory\": \"DUO-PSA-2020-003\", \"discovery\": \"INTERNAL\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"1.1.1\", \"version_affected\": \"\u003c\"}]}, \"product_name\": \"DUO Connect\"}]}, \"vendor_name\": \"Cisco\"}]}}, \"solution\": [{\"lang\": \"en\", \"value\": \"The Duo Product team has fixed the issue by updating DuoConnect to version 1.1.1, which rejects relay configurations that do not specify an HTTPS-based relay.\\n\\nA DNG instance will automatically instruct users to install the latest version of DuoConnect. Duo administrators do not need to perform any manual updates unless their DNG is not able to connect to the internet to download the new version of the software. In that case, administrators should instruct end-users to download the latest DuoConnect version directly using the links below.\\n\\nSteps required for end-user remediation:\\n\\nUpdate DuoConnect:\\nEnd-users will need to update DuoConnect once prompted to do so by the DNG (users will be prompted to upgrade DuoConnect during authentication in their browser from July 7, 2020 onwards).\\nThe updated version of DuoConnect can alternatively be downloaded directly from the following locations at any time: Windows - https://dl.duosecurity.com/DuoConnect-1.1.1.msi\\nmacOS - https://dl.duosecurity.com/DuoConnect-1.1.1.pkg\\nLinux - https://dl.duosecurity.com/DuoConnect-1.1.1.tar.gz\\nThe signature of DuoConnect installer files can be verified at https://duo.com/docs/checksums.\\n\\nEnd-users will need to update their DuoConnect SSH configuration if they receive the error message shown below:\\n\\nError: Invalid URL: relay scheme http://server-ssh.example.com invalid: must be https\\n\\nUpdate the SSH configuration: Locate the http relay in the SSH configuration e.g. \\u201cProxyCommand duoconnect -host=%h:%p -relay=http://server-ssh.example.com\\u201d Ensure the relay uses \\u2018https://\\u2019, and not \\u2018http://\\u2019\\n\\nThe SSH configuration for *nix and macOS operating systems can be located at ~/.ssh/config. The SSH configuration for Windows operating systems can most commonly be found in the user directory C:\\\\Users\\\\username.ssh.\\n\\nAdditionally, you can refer to the \\u201cConfigure SSH\\u201d section in the DuoConnect guide to learn more about steps for SSH configuration should you need further guidance.\"}], \"data_type\": \"CVE\", \"generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"references\": {\"reference_data\": [{\"url\": \"https://duo.com/labs/psa/duo-psa-2020-003\", \"name\": \"DuoConnect SSH Connection Vulnerability\", \"refsource\": \"CISCO\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"The DuoConnect client enables users to establish SSH connections to hosts protected by a DNG instance. When a user initiates an SSH connection to a DNG-protected host for the first time using DuoConnect, the user\\u2019s browser is opened to a login screen in order to complete authentication determined by the contents of the \u0027-relay\u0027 argument. If the \\u2018-relay\\u2019 is set to a URL beginning with \\\"http://\\\", then the browser will initially attempt to load the URL over an insecure HTTP connection, before being immediately redirected to HTTPS (in addition to standard redirect mechanisms, the DNG uses HTTP Strict Transport Security headers to enforce this). After successfully authenticating to a DNG, DuoConnect stores an authentication token in a local system cache, so users do not have to complete this browser-based authentication workflow for every subsequent SSH connection. These tokens are valid for a configurable period of time, which defaults to 8 hours. If a user running DuoConnect already has a valid token, then instead of opening a web browser, DuoConnect directly contacts the DNG, again using the configured \u0027-relay\u0027 value, and sends this token, as well as the intended SSH server hostname and port numbers. If the \u0027-relay\u0027 argument begins with \\\"http://\\\", then this request will be sent over an insecure connection, and could be exposed to an attacker who is sniffing the traffic on the same network. The DNG authentication tokens that may be exposed during SSH relay may be used to gain network-level access to the servers and ports protected by that given relay host. The DNG provides network-level access only to the protected SSH servers. It does not interact with the independent SSH authentication and encryption. An attacker cannot use a stolen token on its own to authenticate against a DNG-protected SSH server.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-319 Cleartext Transmission of Sensitive Information\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2020-3442\", \"STATE\": \"PUBLIC\", \"TITLE\": \"DuoConnect SSH Connection Vulnerability\", \"ASSIGNER\": \"psirt@cisco.com\", \"DATE_PUBLIC\": \"2020-07-15T20:00:00.000Z\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2020-3442\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-13T18:18:39.826Z\", \"dateReserved\": \"2019-12-12T00:00:00\", \"assignerOrgId\": \"d1c1063e-7a18-46af-9102-31f8928bc633\", \"datePublished\": \"2020-07-20T20:45:17.962522Z\", \"assignerShortName\": \"cisco\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.