nvd-json-data-feeds/CVE-2020/CVE-2020-34xx/CVE-2020-3442.json

{
  "id": "CVE-2020-3442",
  "sourceIdentifier": "ykramarz@cisco.com",
  "published": "2020-07-20T21:15:12.657",
  "lastModified": "2020-07-24T18:45:59.450",
  "vulnStatus": "Analyzed",
  "descriptions": [
    {
      "lang": "en",
      "value": "The DuoConnect client enables users to establish SSH connections to hosts protected by a DNG instance. When a user initiates an SSH connection to a DNG-protected host for the first time using DuoConnect, the user\u00e2\u20ac\u2122s browser is opened to a login screen in order to complete authentication determined by the contents of the '-relay' argument. If the \u00e2\u20ac\u02dc-relay\u00e2\u20ac\u2122 is set to a URL beginning with \"http://\", then the browser will initially attempt to load the URL over an insecure HTTP connection, before being immediately redirected to HTTPS (in addition to standard redirect mechanisms, the DNG uses HTTP Strict Transport Security headers to enforce this). After successfully authenticating to a DNG, DuoConnect stores an authentication token in a local system cache, so users do not have to complete this browser-based authentication workflow for every subsequent SSH connection. These tokens are valid for a configurable period of time, which defaults to 8 hours. If a user running DuoConnect already has a valid token, then instead of opening a web browser, DuoConnect directly contacts the DNG, again using the configured '-relay' value, and sends this token, as well as the intended SSH server hostname and port numbers. If the '-relay' argument begins with \"http://\", then this request will be sent over an insecure connection, and could be exposed to an attacker who is sniffing the traffic on the same network. The DNG authentication tokens that may be exposed during SSH relay may be used to gain network-level access to the servers and ports protected by that given relay host. The DNG provides network-level access only to the protected SSH servers. It does not interact with the independent SSH authentication and encryption. An attacker cannot use a stolen token on its own to authenticate against a DNG-protected SSH server."
    },
    {
      "lang": "es",
      "value": "El cliente DuoConnect permite a los usuarios establecer conexiones SSH con hosts protegidos por una instancia DNG. Cuando un usuario inicia una conexi\u00f3n SSH con un host protegido por DNG por primera vez usando DuoConnect, el navegador del usuario es abierto en una pantalla de inicio de sesi\u00f3n para completar la autenticaci\u00f3n determinada por el contenido del argumento \"-relay\". Si el \"-relay\" est\u00e1 configurado en una URL que comienza con \"http://\", el navegador intentar\u00e1 inicialmente cargar la URL por medio de una conexi\u00f3n HTTP no segura, antes de ser redireccionado inmediatamente a HTTPS (adem\u00e1s en mecanismos de redireccionamiento est\u00e1ndar, el DNG utiliza encabezados HTTP Strict Transport Security para aplicar esto). Despu\u00e9s de autenticarse con \u00e9xito en un DNG, DuoConnect almacena un token de autenticaci\u00f3n en una memoria cach\u00e9 del sistema local, por lo que los usuarios no tienen que completar este flujo de trabajo de autenticaci\u00f3n basado en el navegador para cada conexi\u00f3n SSH posterior. Estos tokens son v\u00e1lidos por un per\u00edodo de tiempo configurable, que por defecto es de 8 horas. Si un usuario que ejecuta DuoConnect ya tiene un token v\u00e1lido, entonces, en lugar de abrir un navegador web, DuoConnect contacta directamente con el DNG, nuevamente utilizando el valor \"-relay\" configurado, y env\u00eda este token, as\u00ed como el nombre de host y los n\u00fameros de puerto del servidor SSH previsto. Si el argumento \"-relay\" comienza con \"http://\", esta petici\u00f3n se enviar\u00e1 a trav\u00e9s de una conexi\u00f3n no segura y podr\u00eda ser expuesta a un atacante que est\u00e1 rastreando el tr\u00e1fico en la misma red. Los tokens de autenticaci\u00f3n DNG que pueden estar expuestos durante la retransmisi\u00f3n SSH pueden ser usados para obtener acceso a nivel de red a los servidores y puertos protegidos por ese host de retransmisi\u00f3n dado. El DNG proporciona acceso al nivel de red solo a los servidores SSH protegidos. No interact\u00faa con la autenticaci\u00f3n y el cifrado SSH independiente. Un atacante no puede utilizar un token robado por s\u00ed mismo para autenticarse contra un servidor SSH protegido con DNG"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
          "attackVector": "ADJACENT_NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "REQUIRED",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.7,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 3.6
      },
      {
        "source": "ykramarz@cisco.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
          "attackVector": "ADJACENT_NETWORK",
          "attackComplexity": "HIGH",
          "privilegesRequired": "NONE",
          "userInteraction": "REQUIRED",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 3.6
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:A/AC:M/Au:N/C:P/I:N/A:N",
          "accessVector": "ADJACENT_NETWORK",
          "accessComplexity": "MEDIUM",
          "authentication": "NONE",
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 2.9
        },
        "baseSeverity": "LOW",
        "exploitabilityScore": 5.5,
        "impactScore": 2.9,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": true
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-319"
        }
      ]
    },
    {
      "source": "ykramarz@cisco.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-319"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:duo:duoconnect:*:*:*:*:*:*:*:*",
              "versionEndExcluding": "1.1.1",
              "matchCriteriaId": "B9DC9EC6-89ED-49E3-A675-0DC8F91CD406"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://duo.com/labs/psa/duo-psa-2020-003",
      "source": "ykramarz@cisco.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ]
    }
  ]
}