Duo Security is a business that provides two-factor authentication services across multiple platforms. Late last week, the company announced on their blog they discovered a security vulnerability in their WordPress plugin. According to Duo, the vulnerability only affects WordPress Multisite installations where the plugin is enabled on an individual per-site basis. The vulnerability may allow a user of one site within a Multisite network to bypass the second factor of authentication of another site within the same network. Within their customer bulletin, they offered the following example:
A multisite WordPress deployment has two sites, Site1 and Site2, with the Duo WordPress plugin enabled for Site1 but disabled for Site2. Under normal circumstances, users logging into Site1 will be prompted for primary credentials and second-factor authentication; Site2 users will be prompted only for primary credentials. A Site1 user may force-browse to the login URL of Site2, which will authenticate the user (as part of the same WordPress multisite network), and redirect them back to Site1, without prompting for second-factor authentication.
To clarify who might be at risk, Duo outlined these three criteria:
- Only WordPress “Multisite” deployments that have chosen to deploy the plugin on an individual site basis are affected.
- Normal WordPress deployments or Multisite deployments with the plugin enabled globally are NOT affected.
- The user must still present correct primary authentication (eg. username and password); only the second factor is bypassed.
Duo discovered the vulnerability is not restricted to just their plugin. The company says the vulnerability exists in other two-factor authentication plugins and they have contacted those vendors to share their findings. If you use a two-factor authentication plugin other than Duo, you’re encouraged to contact the author or vendor. Ask them if their plugin contains the vulnerability and whether or not it’s been fixed.
Duo has yet to announce they have permanently fixed the problem but have recommended a workaround for WordPress Multisite deployments: enable duo_wordpress globally, and disable it for specific user roles.
That is an interesting bug. It’s nice to see they’re being open about it and not just hurrying a fix out the door and hoping nobody will notice.