Risk | Low |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2023-20123 |
CWE-ID | CWE-294 |
Exploitation vector | Local |
Public exploit | N/A |
Vulnerable software Subscribe |
Duo Two-Factor Authentication for macOS Client/Desktop applications / Other client software Duo Authentication for Windows Logon and RDP Client/Desktop applications / Other client software |
Vendor | Cisco Systems, Inc |
Security Bulletin
This security bulletin contains one low risk vulnerability.
EUVDB-ID: #VU74551
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-20123
CWE-ID:
CWE-294 - Authentication Bypass by Capture-replay
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to bypass authentication process.
The vulnerability exists due to session credentials do not properly expire within the offline access mode. An attacker with physical access can replay previously used multifactor authentication (MFA) codes to bypass MFA protection.
MitigationInstall updates from vendor's website.
Vulnerable software versionsDuo Two-Factor Authentication for macOS: 2.0
Duo Authentication for Windows Logon and RDP: 4.2
External linksQ & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.