CVE-2020-3442
CVSS V2 Low 2.9
CVSS V3 Medium 5.7
Description
The DuoConnect client enables users to establish SSH connections to hosts protected by a DNG instance. When a user initiates an SSH connection to a DNG-protected host for the first time using DuoConnect, the user’s browser is opened to a login screen in order to complete authentication determined by the contents of the '-relay' argument. If the ‘-relay’ is set to a URL beginning with "http://", then the browser will initially attempt to load the URL over an insecure HTTP connection, before being immediately redirected to HTTPS (in addition to standard redirect mechanisms, the DNG uses HTTP Strict Transport Security headers to enforce this). After successfully authenticating to a DNG, DuoConnect stores an authentication token in a local system cache, so users do not have to complete this browser-based authentication workflow for every subsequent SSH connection. These tokens are valid for a configurable period of time, which defaults to 8 hours. If a user running DuoConnect already has a valid token, then instead of opening a web browser, DuoConnect directly contacts the DNG, again using the configured '-relay' value, and sends this token, as well as the intended SSH server hostname and port numbers. If the '-relay' argument begins with "http://", then this request will be sent over an insecure connection, and could be exposed to an attacker who is sniffing the traffic on the same network. The DNG authentication tokens that may be exposed during SSH relay may be used to gain network-level access to the servers and ports protected by that given relay host. The DNG provides network-level access only to the protected SSH servers. It does not interact with the independent SSH authentication and encryption. An attacker cannot use a stolen token on its own to authenticate against a DNG-protected SSH server.
Overview
- CVE ID
- CVE-2020-3442
- Assigner
- ykramarz@cisco.com
- Vulnerability Status
- Analyzed
- Published Version
- 2020-07-20T21:15:12
- Last Modified Date
- 2020-07-24T18:45:59
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:duo:duoconnect:*:*:*:*:*:*:*:* | 1 | OR | 1.1.1 |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:A/AC:M/Au:N/C:P/I:N/A:N
- Access Vector
- ADJACENT_NETWORK
- Access Compatibility
- MEDIUM
- Authentication
- NONE
- Confidentiality Impact
- PARTIAL
- Integrity Impact
- NONE
- Availability Impact
- NONE
- Base Score
- 2.9
- Severity
- LOW
- Exploitability Score
- 5.5
- Impact Score
- 2.9
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Attack Vector
- ADJACENT_NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- NONE
- User Interaction
- REQUIRED
- Scope
- UNCHANGED
- Confidentiality Impact
- HIGH
- Availability Impact
- NONE
- Base Score
- 5.7
- Base Severity
- MEDIUM
- Exploitability Score
- 2.1
- Impact Score
- 3.6
References
| Reference URL | Reference Tags |
|---|---|
| https://duo.com/labs/psa/duo-psa-2020-003 | Patch Vendor Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2020-3442 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3442 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-05-10 16:39:50 | Added to TrackCVE | |||
| 2022-12-04 20:04:30 | psirt@cisco.com | ykramarz@cisco.com | CVE Assigner | updated |
| 2022-12-04 20:04:30 | 2020-07-20T21:15Z | 2020-07-20T21:15:12 | CVE Published Date | updated |
| 2022-12-04 20:04:30 | 2020-07-24T18:45:59 | CVE Modified Date | updated | |
| 2022-12-04 20:04:30 | Analyzed | Vulnerability Status | updated |