Cisco has assigned this vulnerability the identifier Cisco IOS Software Security Advisory: Cisco Duo Mac OS X Vulnerability (CSC:H10786). Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. However, mitigations exist to limit the impact of this vulnerability. To help limit the likelihood of exploitation, administrators are encouraged to follow these recommendations: Restrict physical access to the device where Duo for Mac is installed.

Ensure that the smart card used for Duo for Mac is assigned only to one of the users who has physical access to the device.
As a best practice, it is recommended that smart cards used for Duo for Mac be physically separated from other smart cards used for other purposes.

Where possible, configure the Cisco Authentication Agent (CAA) on the network to use a different user account for accessing Cisco devices. Additionally, ensure that the Cisco CAA is not making any connections to the Duo for Mac server on the local network.

Cisco Product Identification and End-to-End Functional Coverage

Cisco IOS Software is available on many platforms and hardware configurations, as well as with numerous software releases.

Description

Cisco has classified this vulnerability as a high severity vulnerability. It is possible that an attacker may exploit these vulnerabilities by sending a malicious HTTP packet to the web server running Duo for Mac. An attacker can use either a man-in-the-middle (MitM) attack to intercept traffic between the client and the Duo for Mac server, or he can send specially crafted HTML content to trick users into visiting malicious websites.
This vulnerability affects all versions of Cisco Duo for Mac running on any operating system, including versions 1.1 through 3.2, with root privileges that are enabled by default.

Vulnerable Products

Cisco Duo is a software product that provides two-factor authentication for devices connected to a computer.
Duo for Mac is a part of the Cisco Duo v3 solution. It provides the security features of the Duo V2 software on macOS systems and allows users to manage their accounts and secure their computers without logging into a browser or downloading an application.
Duo for Mac is vulnerable to this vulnerability if it uses the weak password policy defined in Security Configuration Guide: Cisco Duo for Mac OS X, which does not specify any password complexity requirements. This vulnerability could allow an attacker to bypass authentication via brute force with low complexity passwords.

Deploying Duo for Mac

Duo for Mac is designed to be deployed as a standalone application to the local computer, or it can also be deployed to an LDAP directory.
When deploying Duo for Mac, follow these best practices: Deploy Duo for Mac on computers that are not in production use and do not require access during business hours.
Make sure that the client PC is not connected to any corporate networks.
Deploy Duo for Mac using "local mode" only when there is no other option available.
Register and deploy Duo for Mac as a standalone application to prevent possible conflicts with any existing standalone applications installed on the system.

Timeline

Published on: 09/30/2022 19:15:00 UTC
Last modified on: 10/04/2022 18:35:00 UTC

References