In today’s increasingly connected world, ensuring the security and integrity of our devices has become paramount. Unfortunately, even the most trusted software applications can sometimes fall victim to vulnerabilities that threaten our digital well-being. One such vulnerability has recently been discovered in Cisco Duo’s device health application for Windows, exposing users to potential arbitrary file attacks. In this article, we will delve into the details of this vulnerability, its potential impact on users’ systems, and explore possible mitigation strategies to safeguard against such threats.
A vulnerability in the CryptoService function of Cisco Duo Device Health Application for Windows could allow an authenticated, local attacker with low privileges to conduct directory traversal attacks and overwrite arbitrary files on an affected system.
This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by executing a directory traversal attack on an affected host. A successful exploit could allow an attacker to use a cryptographic key to overwrite arbitrary files with SYSTEM-level privileges, resulting in a denial of service (DoS) condition or data loss on the affected system.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
Affected Products
Vulnerable Products
This vulnerability affects Cisco Duo Device Health Application for Windows.
For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco Duo Device Health Application for macOS.
Workarounds
There are no workarounds that address this vulnerability.
Fixed Releases
In the following table, the left column lists Cisco software releases. The right column indicates whether a release is affected by the vulnerability that is described in this advisory and the first release that includes the fix for this vulnerability. Customers are advised to upgrade to an appropriate fixed software release as indicated in this section.
| Cisco Duo Device Health Application for Windows Release | First Fixed Release |
|---|---|
| 4.0 and earlier | Not affected |
| 5.0.0 | 5.2.0 |
| 5.1.0 | 5.2.0 |
The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.
