CVE-2020-3483

Duo Network Gateway (DNG) Information Disclosure Vulnerability

Description

Duo has identified and fixed an issue with the Duo Network Gateway (DNG) product in which some customer-provided SSL certificates and private keys were not excluded from logging. This issue resulted in certificate and private key information being written out in plain-text to local files on the DNG host. Any private keys logged in this way could be viewed by those with access to the DNG host operating system without any need for reversing encrypted values or similar techniques. An attacker that gained access to the DNG logs and with the ability to intercept and manipulate network traffic between a user and the DNG, could decrypt and manipulate SSL/TLS connections to the DNG and to the protected applications behind it. Duo Network Gateway (DNG) versions 1.3.3 through 1.5.7 are affected.

Remediation

Solution:

  • To prevent this issue, DNG administrators should upgrade to the latest version, 1.5.8, by following the upgrade instructions on the DNG page on Duo.com: https://duo.com/docs/dng#upgrading-duo-network-gateway Customers should search all possible locations where logs have been written to determine if certificate and/or key information has been stored in logs. Note that DNG logs are overwritten each time the DNG is restarted, potentially overwriting any logs containing this sensitive information unless they had been previously exported from the Docker container.

Categories

7.1
CVSS
Severity: High
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.03%
Vendor Advisory duo.com
Affected: Cisco Duo Network Gateway (DNG)
Published at:
Updated at:

References

Link Tags
https://duo.com/labs/psa/duo-psa-2020-004 patch vendor advisory

Frequently Asked Questions

What is the severity of CVE-2020-3483?
CVE-2020-3483 has been scored as a high severity vulnerability.
How to fix CVE-2020-3483?
To fix CVE-2020-3483: To prevent this issue, DNG administrators should upgrade to the latest version, 1.5.8, by following the upgrade instructions on the DNG page on Duo.com: https://duo.com/docs/dng#upgrading-duo-network-gateway Customers should search all possible locations where logs have been written to determine if certificate and/or key information has been stored in logs. Note that DNG logs are overwritten each time the DNG is restarted, potentially overwriting any logs containing this sensitive information unless they had been previously exported from the Docker container.
Is CVE-2020-3483 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2020-3483 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-3483?
CVE-2020-3483 affects Cisco Duo Network Gateway (DNG).
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.