On March 15, 2022, a government flash bulletin was published describing how state-sponsored cyber actors were able to use the PrintNightmare vulnerability (CVE-2021-34527) in addition to bypassing Duo 2FA to compromise an unpatched Windows machine and gain administrative privileges.
This scenario did not leverage or reveal a vulnerability in Duo software or infrastructure, but made use of a combination of configurations in both Duo and Windows that can be mitigated in policy. Duo recommends reviewing your configuration to make sure it meets your current business and security needs. Guidance is provided in the Recommendations and Best Practices section of this blog.
According to the FBI’s bulletin, cyber actors were able to obtain access to primary credentials for users with Duo accounts that did not have an enrolled multi-factor authentication (MFA) device. This activity was documented as early as May, 2021. The actors were then able to enroll their own MFA device and once enrolled, to use these accounts to compromise a Windows system with Duo Authentication for Windows Logon installed. Once logged into Windows, threat actors exploited an unpatched PrintNightmare vulnerability (CVE-2021-34527) to gain administrative privileges and redirect Duo two-factor authentication calls away from Duo’s cloud service, effectively bypassing 2FA in order to gain access to the victim’s files.
The impact of the reported incident was the threat actor gaining access to the victim’s cloud storage and email environment.
On a broader level, the impact of an incident like this one reminds us that maintaining a high security posture is of utmost importance.
Allowing for self-enrollment for new users and returning users is an industry standard. We’ve tested and verified that major MFA/Access providers often by default allow enrollment of unenrolled users without any other measures. The reason for this is to ensure security, but also to reduce friction for IT support and end users.
Recommendations and Best Practices
General Best Practices:
- Require complex or strong primary user passwords
- Configure password lockout policies to thwart brute-force password attacks
- Ensure all your systems have up-to-date security patches
- Utilize file integrity monitoring (set alerts on any modification of files on the Domain Controller)
Duo Recommendations:
- Permit self-enrollment for fewer trusted applications and otherwise change the New User Policy from the “Require enrollment” default setting to “Deny Access”. Follow this guide to change the New User Policy setting.
- Consider setting Duo applications with configurable fail modes to “fail closed” or “fail secure” in the event that they cannot contact Duo’s service. Example: How can I configure the fail mode for Windows Logon console and RDP logins?
Note: Snort signature IDs (SIDs) 57876 and 57877 have been released to address the PrintNightmare vulnerability.
As a Duo customer, my organization asks for a simple design change to disallow any non-user from self-enrollment. That is, no combination of policy settings could enable self-enrollment for a user not present on the User list, added by Directory Sync or by a qualified Administrator role, and thus either originating from a directory services security group or verified against such membership. As revised, Duo would need prior knowledge/verification of approved users in order to allow self-enrollment.