Improper Authentication in Duo Two-Factor Authentication for macOS - CVE-2023-20199
Published: June 22, 2023
Vulnerability identifier: #VU77615
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-20199
CWE-ID: CWE-287
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Duo Two-Factor Authentication for macOS
Duo Two-Factor Authentication for macOS
Detailed vulnerability description
The vulnerability allows a local attacker to bypass authentication process.
The vulnerability exists due to the incorrect handling of responses from Cisco Duo when the application is configured to fail open. An administrator with physical access can bypass authentication process and gain unauthorized access to the target device.
How to mitigate CVE-2023-20199
Install updates from vendor's website.