Heads-up: Security update for Duo Network Gateway

Hey everyone! Today, we released a new version of Duo Network Gateway that includes a security update. Read on for more info about Duo Network Gateway version 2.1.0 and new versions of DuoConnect for macOS, Windows, and Linux.

The new DuoConnect versions are optional and unrelated to the vulnerability addressed by the Duo Network Gateway update.

Duo Network Gateway Version 2.1.0

  • Updated dependencies to address CVE-2022-21712
  • Upgraded bundled Redis version to 6.2.6.
  • Updated the Redis image to Debian 11 LTS.
  • Cookies now use HMAC_SHA256 instead of HMAC_SHA1 for signing and verification.
  • Added support for the PROXY protocol for customers with high-availability deployments featuring load balancers that do not terminate TLS and add an X-Forwarded-For header.
  • Supports TLS v1.3 for incoming connections.
  • Performance enhancements to requests per second (RPS) after users have logged in to DNG.
  • A password reset is now required on initial Duo Network Gateway setup. DNG administrators performing initial configuration must have shell access to the server hosting the Docker containers to complete this step.
  • The DNG admin panel now lists sessions for all users connected through the DNG and offers the ability to terminate a user’s sessions.

DuoConnect Version 2.0.3 for macOS

  • Implements stricter certificate requirements. SSH & RDP connections to SSH & App Relays that provide their own SSL certificate will fail if the uploaded certificate for the DNG or the Relay does not contain a DNS subject alternate name value matching the common name.
  • DuoConnect now implements better support for RDP connections from endpoints shared by multiple users (i.e. laptops/machines).
  • Added two new command line installation switches: -getReg to get your current DNG registration and -clearReg to clear your current DNG registration.
  • Refined DuoConnect log output so that it provides more meaningful information to aid in support escalations.
  • Updated Go version used to compile DuoConnect from 1.16.15 to 1.18.1.

DuoConnect Version 2.0.3 for Windows

  • Implements stricter certificate requirements. SSH & RDP connections to SSH & App Relays that provide their own SSL certificate will fail if the uploaded certificate for the DNG or the Relay does not contain a DNS subject alternate name value matching the common name.
  • DuoConnect now implements better support for RDP connections from endpoints shared by multiple users (i.e. laptops/machines).
  • Added two new command line installation switches: -getReg to get your current DNG registration and -clearReg to clear your current DNG registration.
  • Corrected an issue with uninstalling DuoConnect in uncommon client scenarios.
  • Refined DuoConnect log output so that it provides more meaningful information to aid in support escalations.
  • Updated Go version used to compile DuoConnect from 1.16.15 to 1.18.1.

DuoConnect Version 2.0.3 for Linux

  • Implements stricter certificate requirements. SSH & RDP connections to SSH & App Relays that provide their own SSL certificate will fail if the uploaded certificate for the DNG or the Relay does not contain a DNS subject alternate name value matching the common name.
  • Refined DuoConnect log output so that it provides more meaningful information to aid in support escalations.
  • Updated Go version used to compile DuoConnect from 1.16.15 to 1.18.1.
1 Like

These Duo Network Gateway and DuoConnect Release Notes are also included in the Release Notes for D247, posted today.