What was the critical vulnerability recently remediated by Okta?

Okta recently remediated a critical vulnerability in its AD/LDAP Delegated Authentication (DelAuth) system. This flaw could potentially allow unauthorized access under specific conditions involving usernames exceeding 52 characters and situations where cached authentication data was used.

When was the vulnerability discovered?

The vulnerability was identified by Okta on October 30, 2024, after being introduced in a routine update on July 23, 2024.

What caused the vulnerability in Okta’s DelAuth system?

The vulnerability stemmed from the use of the Bcrypt algorithm to generate cache keys in the DelAuth system. This configuration allowed potential unauthorized access if a username exceeded 52 characters and other specific conditions were met.

Under what conditions could this vulnerability be exploited?

The vulnerability could be exploited if (1) the username was 52 characters or longer, (2) the DelAuth system was relying on cached login data due to an authentication agent being down or experiencing high traffic, and (3) multi-factor authentication (MFA) was not required by the organization's security policy.

Who was at increased risk due to this vulnerability?

Organizations using long usernames, especially those integrated with Active Directory (AD) or LDAP configurations, were at increased risk if their DelAuth agents experienced downtime or high traffic and they did not enforce multi-factor authentication (MFA).

What actions does Okta recommend to affected organizations?

Okta recommends that affected organizations review system logs from July 23, 2024, to October 30, 2024, for unusual access attempts. Additionally, Okta advises implementing security measures like enforcing MFA to prevent unauthorized access.

Advisory

Okta reports authentication bypass flaw for some long usernames

Q: What steps did Okta take to mitigate the vulnerability?

On October 30, 2024, Okta mitigated the vulnerability by replacing Bcrypt with the PBKDF2 algorithm for cache key generation. This change addresses the potential unauthorized access issue.

published: Nov. 2, 2024

Take action: You can't do much about this flaw - Okta needed to patch it, and they have. But you can learn from it - there can always be edge cases where security controls don't work - like a username longer than 52 chars in specific AD cached conditions. Always add multiple layers of controls since one control can fail.

Learn More

Okta reports they have remediated a critical vulnerability in its AD/LDAP Delegated Authentication (DelAuth) system, which could allow unauthorized access under specific conditions.

Tracked internally by Okta and identified on October 30, 2024, the flaw was introduced during a routine update on July 23, 2024. The vulnerability stemmed from the use of the Bcrypt algorithm to generate cache keys for AD/LDAP DelAuth by hashing a combination of user ID, username, and password. In cases where a username exceeded 52 characters, the flaw could potentially enable authentication without requiring the password if certain conditions were met.

The vulnerability could be exploited under the following specific circumstances:

Username Length: Only usernames of 52 characters or longer were susceptible.
Cache Key Dependence: The DelAuth system would allow login using a previously cached successful login attempt.
Agent Down or High Traffic Conditions: The issue was triggered if the authentication agent was down and unreachable or if there was high traffic, which forced the DelAuth system to prioritize cached data.

The flaw allowed unauthorized access if:

The organization’s authentication policy did not require multi-factor authentication (MFA).
The system’s cache, from a previous successful authentication, was accessible and matched a subsequent login attempt with a 52-character username.

Okta’s response included an immediate update on October 30, 2024, replacing Bcrypt with the PBKDF2 algorithm for cache key generation to mitigate the vulnerability.

Organizations using long usernames, particularly those in Active Directory (AD) or LDAP configurations, were at increased risk if their authentication agents met the above conditions. To assist customers in identifying potential impacts, Okta has recommended that they review system logs from July 23, 2024, to October 30, 2024, for any unusual access attempts.

Okta encourages customers affected by this vulnerability to perform system log audits over the specified period to detect unauthorized logins. Additionally, for future prevention, organizations are advised to implement additional security layers, such as enforcing MFA requirements, to minimize the impact of similar vulnerabilities.

Okta reports authentication bypass flaw for some long usernames

Read More
XZ Utils 5.8.3 Released to Patch Buffer Overflow …
Critical remote code execution flaw reported in PyTorch …
Critical authentication bypass flaw enables takeover of Milvus …
Microsoft Patches Critical Elevation of Privilege Flaws in …
Critical flaw in Fluent Bit logging/metrics tool puts …