The "Printnightmare" vulnerability is a Windows issue and our recommendations are to follow the mitigation recommendations outlined by the Cybersecurity & Infrastructure Security Agency. Following these recommendations will also mitigate the ability to manipulate MFA safeguards.
In regards to how this vulnerability was used to then manipulate the Duo MFA solution, there are two areas to address for Symantec VIP.
“Fail open” can happen to any MFA implementation and is not exclusive to Duo:
- Symantec VIP does not "fail open" by default. We do offer the option, through Radius authentications, to have 'Automatic Business Continuity Mode', but this would need to be manually selected in the Radius configuration. There isn't any way for an outside entity to turn this on. This solution is offered at the customer's discretion to allow user authentications to "fail open" in the event of a communication issue between the VIP Enterprise Gateway server (EGW) and our Cloud Service URL.
- If 'Automatic Business Continuity Mode' is enabled, then an intruder that gained access to the VIP EGW server would be able to perform the same steps outlined in the Cybersecurity alert to bypass MFA. This is working as designed. In the case of a communication failure to the cloud services, this option allows customers to determine that continued productivity takes precedence over the security concern. The intruders are taking advantage of this to abuse the way MFA systems are designed.
- If 'Automatic Business Continuity Mode' is not enabled, then this is not an issue. Business Continuity can be manually enabled only by direct logon to the EGConsole, which is not vulnerable to this method of attack
- For more information regarding Business Continuity, please refer to this documentation: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/vip/cloud/vip-enterprise-gateway-v127046045-d2278e2615/VIP-Enterprise-Gateway-Installation-Configuration/about-the-v119936153-d2362e2151/configuring-automatic-business-continuity-id-65694-d2362e8487.html
Inactive MFA user accounts:
- There is not currently any way to disable inactive/dormant accounts in the VIP Manager. There is an Enhancement Request to offer this policy option, but no ETA on when this will be implemented.
- The current solution is to have your VIP User Store Filter not include "Disabled" Active Directory accounts. If the User Store Filter does not include 'disabled' accounts, then they will not pass the User Store check and the VIP Radius will stop the authentications at that point, regardless of the MFA check. In addition, this will have the LDAP Synchronization service remove inactive accounts from VIP Manager and ensure that disabled AD users no longer have an inactive/dormant account in VIP Manager.
- For more information on configuring the User Store Filter, please reference this KB article: https://knowledge.broadcom.com/external/article?articleId=163791