DUO “push” Timing Attack

PSC Risk Assessment
CVSS 7.3, (AV:N/AC:L/Au:M/C:C/I:N/A:C/E:F/RL:ND/RC:ND)

Description
Duo “push” authentications are susceptible to a low-profile timing-based attack that permits an intruder to steal an authenticated session from an end-user accessing Duo-protected resources.  Specifically, when multiple “push” notifications arrive simultaneously (or nearly so), only the final one is shown to the user.  When the user authenticates that notification, only the corresponding session will actually be authenticated.  If an attacker can initiate an equivalent connection slightly after the client’s session, then the user will typically authorize the malicious session rather than his or her own.

Proof of Concept
PSC has created a software agent that targets Duo “push” authentications for remote desktop (RDP) services.  This agent collects the client system’s netstat information twenty or more times per second, looking for outbound connections to the Duo-protected resource.  

Once detected, the agent then monitors the RDP connection to determine when the desktop has been created and the “push” notification has been sent.  The agent then sends a notification across the network to the attacker’s system, where another agent immediately initiates another connection to the RDP service.
Since the malicious session begins slightly after the client’s legitimate session (typically less than one second), the victim’s mobile device will display a single “push” notification representing the malicious session, rather than the legitimate one.  The user will likely authorize (since a mobile authorization is expected).

The attacker’s system gains an authenticated session, while the victim’s session times out.  In practical execution, most users will assume that there was a glitch of some sort, and try again without recognizing the security import of the failed connection.  The timeout provides sufficient opportunity for a prepared attacker to make use of the stolen session (consider also that an attacker may target another RDP server or the RDP console session, and thus produce two simultaneous, valid RDP sessions).

Preconditions
The intruder must possess the following in order to carry out this attack: 
1.  Knowledge of the credentials used by the victim when accessing the resource.
      a.  This can usually be obtained by keylogging, collection of password vaults, file shares, etc.
2.  The ability to execute code on the victim’s system.

 
Configurations Affected
•  Duo Security Authentication Proxy 2.4.8
•  Duo Win Login 1.1.8

PSC’s current software agent is designed specifically for remote desktop (RDP).  This design can be adapted to target other services, such as web applications, VPNs, etc.  The key observation is that the malicious agent must be able to determine with reasonable precision (within one second) when the “push” notification has been initiated.  

Also, this attack assumes that “push” notifications are used for authentications.  If the user prefers the numeric entry method, this type of attack will not work.  That said, there are practical attacks against keyboard entry as well, so this should not be considered a secure workaround or alternative.


Research Credit
Josh Stone, PSC Penetration Tester
Patrick Fussell, PSC Penetration Tester

Timeline
2015-02-04  Successful proof of concept 
2015-02-13  Disclosure submitted to security@duosecurity.com 
2015-02-25  Vendor Confirmation of Vulnerability
2015-06-08  Vendor Fix Released: https://www.duosecurity.com/blog/raising-the-bar-anomaly-detection