HomepageOkta logo

Okta AD/LDAP Delegated Authentication - Username Above 52 Characters Security Advisory

View all security advisories

Description

Description

On October 30, 2024, a vulnerability was internally identified in generating the cache key for AD/LDAP DelAuth. The Bcrypt algorithm was used to generate the cache key where we hash a combined string of userId + username + password. Under a specific set of conditions, listed below, this could allow users to authenticate by providing the username with the stored cache key of a previous successful authentication.

Affected products and versions

Okta AD/LDAP DelAuth as of July 23, 2024

Resolution

This vulnerability was resolved in Okta's production environment on October 30, 2024.

Severity Details

If the vulnerability was exploited, this could allow a user to authenticate with the stored cache key of a previous successful authentication. Exploitation of the vulnerability required all of the following pre-conditions:

  • Okta AD/LDAP delegated authentication is used

  • MFA is not applied

  • The username is 52 characters or longer

  • The user previously authenticated creating a cache of the authentication

  • The cache was used first, which can occur if the AD/LDAP agent was down or cannot be reached, for example, due to high network traffic

  • The authentication occurred between July 23rd, 2024 and October 30th, 2024

Customer Recommendations

Customers meeting the pre-conditions should investigate their Okta System Log for unexpected authentications from usernames greater than 52 characters between the period of July 23rd, 2024 to October 30th, 2024. 

Furthermore, Okta recommends all Okta customers implement MFA at a minimum. We also strongly encourage customers to enroll users in phishing resistant authenticators (such as Okta Verify FastPass, FIDO2 WebAuthn, or PIV/CAC Smart Cards) and to enforce phishing resistance for access to all applications.

Timeline

2024-07-23 - Vulnerability introduced as a bug in part of a standard Okta release

2024-10-30 - Vulnerability discovered internally

2024-10-30 - Vulnerability resolved by switching cryptographic algorithms, from Bcrypt for PBKDF2

Note: This security advisory was updated on November 4, 2024 to clarify the pre-conditions required to exploit vulnerability.