Last October, Cisco announced a security vulnerability in their Duo Authentication for Windows Logon and RDP that impacted releases 4.0 through 4.2. In April, Cisco delivered a new release and a fix for CVE-2024-20292.
Cisco rates vulnerability as MEDIUM.
Description
This vulnerability is due to improper storage of an unencrypted registry key in certain logs. An attacker could exploit this vulnerability by accessing the logs on an affected system, allowing the attacker to access sensitive, unencrypted information.
View Cisco’s Security Advisory in full here: Cisco Duo Authentication for Windows Logon and RDP Information Disclosure Vulnerability
Scope
The following software Cisco Duo Authentication for Windows Logon and RDP releases are affected:
|
Cisco Duo Authentication for Windows Logon and RDP Release |
First Fixed Release |
|
3.1.2 and earlier |
Not vulnerable. |
|
4.0.0 through 4.0.7 |
Migrate to a fixed release. |
|
4.1.0 through 4.1.3 |
Migrate to a fixed release. |
|
4.2.0 through 4.2.2 |
Migrate to a fixed release. |
|
4.3.0 and later |
Not vulnerable. |
(Table credit: Cisco)
Course of Action
Cisco recommends users update to the latest version of Duo Authentication for Windows Logon and RDP, version 4.3.1 to mitigate this risk and avoid exploitation of this vulnerability.
For Systems Engineering clients who have Cisco Duo deployed and have SE Essentials, our secure productivity platform, we will be proactively upgrading you to the latest release. We will contact you with details on the remediation effort and scheduling.
For all others, we recommend having your affected system migrated to the latest release. If you would like our assistance, please reach out to Systems Engineering Customer Service at 207.772.4199 to have a ticket opened to get your system updated.
If you are a Systems Engineering client and have questions about this Security Alert, please contact your Account Manager.
