Okta AD/LDAP Delegated Authentication - Username Above 52 Characters Security Advisory
Description
Description
On October 30, 2024, a vulnerability was internally identified in generating the cache key for AD/LDAP DelAuth. The Bcrypt algorithm was used to generate the cache key where we hash a combined string of userId + username + password. Under a specific set of conditions, listed below, this could allow users to authenticate by providing the username with the stored cache key of a previous successful authentication.
Affected products and versions
Okta AD/LDAP DelAuth as of July 23, 2024
Resolution
This vulnerability was resolved in Okta's production environment on October 30, 2024.
Severity Details
If the vulnerability was exploited, this could allow a user to authenticate with the stored cache key of a previous successful authentication. Exploitation of the vulnerability required all of the following pre-conditions:
Okta AD/LDAP delegated authentication is used
MFA is not applied
The username is 52 characters or longer
The user previously authenticated creating a cache of the authentication
The cache was used first, which can occur if the AD/LDAP agent was down or cannot be reached, for example, due to high network traffic
The authentication occurred between July 23rd, 2024 and October 30th, 2024
Customer Recommendations
Customers meeting the pre-conditions should investigate their Okta System Log for unexpected authentications from usernames greater than 52 characters between the period of July 23rd, 2024 to October 30th, 2024.
Furthermore, Okta recommends all Okta customers implement MFA at a minimum. We also strongly encourage customers to enroll users in phishing resistant authenticators (such as Okta Verify FastPass, FIDO2 WebAuthn, or PIV/CAC Smart Cards) and to enforce phishing resistance for access to all applications.
Timeline
2024-07-23 - Vulnerability introduced as a bug in part of a standard Okta release
2024-10-30 - Vulnerability discovered internally
2024-10-30 - Vulnerability resolved by switching cryptographic algorithms, from Bcrypt for PBKDF2
Note: This security advisory was updated on November 4, 2024 to clarify the pre-conditions required to exploit vulnerability.