Cisco Duo for macOS Authentication Bypass Vulnerability

A vulnerability in the smart card login authentication of Cisco Duo for macOS could allow an unauthenticated attacker with physical access to bypass authentication. This vulnerability exists because the assigned user of a smart card is not properly matched with the authenticating user. An attacker could exploit this vulnerability by configuring a smart card login to bypass Duo authentication. A successful exploit could allow the attacker to use any personal identity verification (PIV) smart card for authentication, even if the smart card is not assigned to the authenticating user. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-duo-macOS-bypass-uKZNpXE6

There is a workaround that addresses this vulnerability.

If customers prefer not to update Cisco Duo for macOS at this time, they can disable Should bypass 2FA when using smartcard on Cisco Duo for macOS on all devices. By requiring end users to authenticate using the Duo Prompt after logging in to a macOS device, customers will prevent unintended bypass of the Duo Prompt with an unverified smart card.

To disable smart card 2FA bypass, run the following command in a terminal window:

sudo plutil -replace smartcard_bypass -bool false /private/var/root/Library/Preferences/com.duosecurity.maclogon.plist

While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.