{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T01:40:18.351","vulnerabilities":[{"cve":{"id":"CVE-2020-3442","sourceIdentifier":"psirt@cisco.com","published":"2020-07-20T21:15:12.657","lastModified":"2024-11-21T05:31:04.563","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"The DuoConnect client enables users to establish SSH connections to hosts protected by a DNG instance. When a user initiates an SSH connection to a DNG-protected host for the first time using DuoConnect, the user’s browser is opened to a login screen in order to complete authentication determined by the contents of the '-relay' argument. If the ‘-relay’ is set to a URL beginning with \"http://\", then the browser will initially attempt to load the URL over an insecure HTTP connection, before being immediately redirected to HTTPS (in addition to standard redirect mechanisms, the DNG uses HTTP Strict Transport Security headers to enforce this). After successfully authenticating to a DNG, DuoConnect stores an authentication token in a local system cache, so users do not have to complete this browser-based authentication workflow for every subsequent SSH connection. These tokens are valid for a configurable period of time, which defaults to 8 hours. If a user running DuoConnect already has a valid token, then instead of opening a web browser, DuoConnect directly contacts the DNG, again using the configured '-relay' value, and sends this token, as well as the intended SSH server hostname and port numbers. If the '-relay' argument begins with \"http://\", then this request will be sent over an insecure connection, and could be exposed to an attacker who is sniffing the traffic on the same network. The DNG authentication tokens that may be exposed during SSH relay may be used to gain network-level access to the servers and ports protected by that given relay host. The DNG provides network-level access only to the protected SSH servers. It does not interact with the independent SSH authentication and encryption. An attacker cannot use a stolen token on its own to authenticate against a DNG-protected SSH server."},{"lang":"es","value":"El cliente DuoConnect permite a los usuarios establecer conexiones SSH con hosts protegidos por una instancia DNG. Cuando un usuario inicia una conexión SSH con un host protegido por DNG por primera vez usando DuoConnect, el navegador del usuario es abierto en una pantalla de inicio de sesión para completar la autenticación determinada por el contenido del argumento \"-relay\". Si el \"-relay\" está configurado en una URL que comienza con \"http://\", el navegador intentará inicialmente cargar la URL por medio de una conexión HTTP no segura, antes de ser redireccionado inmediatamente a HTTPS (además en mecanismos de redireccionamiento estándar, el DNG utiliza encabezados HTTP Strict Transport Security para aplicar esto). Después de autenticarse con éxito en un DNG, DuoConnect almacena un token de autenticación en una memoria caché del sistema local, por lo que los usuarios no tienen que completar este flujo de trabajo de autenticación basado en el navegador para cada conexión SSH posterior. Estos tokens son válidos por un período de tiempo configurable, que por defecto es de 8 horas. Si un usuario que ejecuta DuoConnect ya tiene un token válido, entonces, en lugar de abrir un navegador web, DuoConnect contacta directamente con el DNG, nuevamente utilizando el valor \"-relay\" configurado, y envía este token, así como el nombre de host y los números de puerto del servidor SSH previsto. Si el argumento \"-relay\" comienza con \"http://\", esta petición se enviará a través de una conexión no segura y podría ser expuesta a un atacante que está rastreando el tráfico en la misma red. Los tokens de autenticación DNG que pueden estar expuestos durante la retransmisión SSH pueden ser usados para obtener acceso a nivel de red a los servidores y puertos protegidos por ese host de retransmisión dado. El DNG proporciona acceso al nivel de red solo a los servidores SSH protegidos. No interactúa con la autenticación y el cifrado SSH independiente. Un atacante no puede utilizar un token robado por sí mismo para autenticarse contra un servidor SSH protegido con DNG"}],"metrics":{"cvssMetricV31":[{"source":"psirt@cisco.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"ADJACENT_NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.2,"impactScore":3.6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","baseScore":5.7,"baseSeverity":"MEDIUM","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.1,"impactScore":3.6}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:A/AC:M/Au:N/C:P/I:N/A:N","baseScore":2.9,"accessVector":"ADJACENT_NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"},"baseSeverity":"LOW","exploitabilityScore":5.5,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}]},"weaknesses":[{"source":"psirt@cisco.com","type":"Secondary","description":[{"lang":"en","value":"CWE-319"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-319"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:duo:duoconnect:*:*:*:*:*:*:*:*","versionEndExcluding":"1.1.1","matchCriteriaId":"B9DC9EC6-89ED-49E3-A675-0DC8F91CD406"}]}]}],"references":[{"url":"https://duo.com/labs/psa/duo-psa-2020-003","source":"psirt@cisco.com","tags":["Patch","Vendor Advisory"]},{"url":"https://duo.com/labs/psa/duo-psa-2020-003","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Vendor Advisory"]}]}}]}