Okta Flaw Could Have Allowed Authentication Bypass, but There’s a Catch

Okta, the leading identity and access management platform, recently announced a critical security update to address a vulnerability in its Active Directory (AD) and Lightweight Directory Access Protocol (LDAP) Delegated Authentication mechanism.

This flaw, identified internally and resolved on October 30, 2024, has raised concerns among organizations that rely on Okta for secure user authentication, as it could potentially allow unauthorized access under certain conditions.

Using long passwords unsafe?

The vulnerability emerged in Okta’s caching mechanism, specifically in its use of the Bcrypt algorithm for generating cache keys for AD/LDAP Delegated Authentication (DelAuth). When an exceptionally long username (52 characters or more) was used under specific circumstances, it created an opening for users to authenticate using a stored cache key from a previous session. This means that with certain conditions met, users could log in by essentially bypassing the need for a fresh authentication check.

To exploit the vulnerability, several factors had to be aligned, including:

• AD/LDAP delegated authentication enabled,
• Multifactor Authentication (MFA) was not in use,
• The user had previously authenticated with a username exceeding 52 characters, and
• The AD/LDAP agent was temporarily inaccessible due to downtime or high network traffic.

According to Okta, this flaw likely affected a limited number of users between July 23 and October 30, 2024, the timeframe during which the vulnerability was introduced and ultimately resolved. Okta has since shifted from Bcrypt to PBKDF2, a more suitable cryptographic algorithm, to prevent future cache key inconsistencies.

Okta is urging customers who meet the preconditions of this vulnerability to inspect their Okta System Logs for any unexpected authentications involving usernames longer than 52 characters within the specified period. Okta also emphasizes the importance of enabling MFA across all applications and encourages users to implement phishing-resistant authenticators, such as Okta Verify FastPass, FIDO2 WebAuthn, or PIV/CAC Smart Cards, to enhance security.

More fixes on Okta products

In addition to the DelAuth cache key vulnerability, Okta has addressed another security flaw, CVE-2024-9191, affecting Windows passwordless logins through the Okta Verify Desktop MFA. This vulnerability, identified during routine penetration testing, could allow attackers on compromised devices to retrieve credentials used in passwordless login processes. The issue impacted users of Okta Verify for Windows versions 5.0.2 to 5.3.2.

Okta advises customers using affected versions to upgrade to Okta Verify 5.3.3 or later, which contains a patch for the vulnerability. Importantly, only users employing the Okta Device Access passwordless feature are at risk, as other configurations and platforms remain unaffected.

Another recently disclosed Okta vulnerability affecting “Classic” configuration users also warrants investigation. This separate issue, which was resolved earlier in October, potentially allowed attackers with valid credentials to bypass specific sign-on policies for high-sensitivity applications.