PT-2020-17251 · Duo · Duo Network Gateway

Published

2020-10-14

Updated

2020-10-29

CVE-2020-3483

CVSS v3.1

7.1

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Duo Network Gateway (DNG) versions 1.3.3 through 1.5.7

Description The issue concerns the logging of customer-provided SSL certificates and private keys in plain-text to local files on the DNG host. This could allow an attacker with access to the DNG logs and the ability to intercept and manipulate network traffic to decrypt and manipulate SSL/TLS connections to the DNG and protected applications.

Recommendations For Duo Network Gateway (DNG) versions 1.3.3 through 1.5.7, update to a version that includes the fix for this issue to prevent certificate and private key information from being logged in plain-text.

Fix

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-256CWE-522

Related Identifiers

CVE-2020-3483

Affected Products

Duo Network Gateway

PT-2020-17251 · Duo · Duo Network Gateway

CVE-2020-3483

Weakness Enumeration

Related Identifiers

Affected Products

References · 3