Avatar

On March 15, 2022, a government flash bulletin was published describing how state-sponsored cyber actors were able to use the PrintNightmare vulnerability (CVE-2021-34527) in addition to bypassing Duo 2FA to compromise an unpatched Windows machine and gain administrative privileges.

This scenario did not leverage or reveal a vulnerability in Duo software or infrastructure, but made use of a combination of configurations in both Duo and Windows that can be mitigated in policy. Duo recommends reviewing your configuration to make sure it meets your current business and security needs. Guidance is provided in the Recommendations and Best Practices section of this blog.

According to the FBI’s bulletin, cyber actors were able to obtain access to primary credentials for users with Duo accounts that did not have an enrolled multi-factor authentication (MFA) device. This activity was documented as early as May, 2021. The actors were then able to enroll their own MFA device and once enrolled, to use these accounts to compromise a Windows system with Duo Authentication for Windows Logon installed. Once logged into Windows, threat actors exploited an unpatched PrintNightmare vulnerability (CVE-2021-34527) to gain administrative privileges and redirect Duo two-factor authentication calls away from Duo’s cloud service, effectively bypassing 2FA in order to gain access to the victim’s files.

The impact of the reported incident was the threat actor gaining access to the victim’s cloud storage and email environment.

On a broader level, the impact of an incident like this one reminds us that maintaining a high security posture is of utmost importance.

Allowing for self-enrollment for new users and returning users is an industry standard. We’ve tested and verified that major MFA/Access providers often by default allow enrollment of unenrolled users without any other measures. The reason for this is to ensure security, but also to reduce friction for IT support and end users.

Recommendations and Best Practices

General Best Practices:

  • Require complex or strong primary user passwords
  • Configure password lockout policies to thwart brute-force password attacks
  • Ensure all your systems have up-to-date security patches
  • Utilize file integrity monitoring (set alerts on any modification of files on the Domain Controller)

Duo Recommendations:

Note: Snort signature IDs (SIDs) 57876 and 57877 have been released to address the  PrintNightmare vulnerability.

 



Authors

Omar Santos

Distinguished Engineer

Cisco Product Security Incident Response Team (PSIRT) Security Research and Operations