HomepageOkta logo

Okta Classic Application Sign-On Policy Bypass

View all security advisories

Description

On September 27, 2024, a vulnerability was identified in specific Okta configurations whereby ​​an attacker with valid credentials could bypass configured conditions within application-specific sign-on policies. These conditions could include use of network zones, device-type restrictions or authentication requirements set outside of the Global Session Policy. After investigation, we determined that this vulnerability was introduced as part of a release that occurred on July 17th, 2024.

Affected product and versions

  • Okta Classic as of July 17, 2024 

Resolution

This vulnerability was resolved in Okta’s production environment on October 4, 2024. 

Severity Details

If the vulnerability was exploited, unauthorized access to applications associated with the application sign-on policies could be obtained. Exploitation of the vulnerability required all of the following conditions:

  1. Possession of a valid username and password;

  2. Org configured with application-specific sign-on policies;

  3. The use of a user-agent Okta evaluates as an “unknown” device type (for example Python scripts and uncommon browser types)

Customer Recommendations

Customers who were on Okta Classic as of July 17, 2024, and who meet the above conditions are advised to review the Okta System Log for unexpected authentications from user-agents evaluated by Okta as “unknown” between July 17, 2024 and October 4, 2024 using the following query: outcome.result eq "SUCCESS" and (client.device eq "Unknown" OR client.device eq "unknown") and eventType eq "user.authentication.sso"

Furthermore, Okta recommends customers:

  • Search for activity prior to July 17, 2024. If a user authenticated to the same application with the same "unknown" user-agent, this suggests that the more recent event was authorized.

  • Search for unsuccessful authentication attempts that may indicate a credential-based attack (such as credential stuffing or password spray events) immediately prior to a successful authentication event for the user, this suggests that the more recent event was not authorized.

  • Search for activity that deviates from previous user behavior such as unusual geolocations, IPs, time of access, or ASNs

  • Pay particular attention to applications with default policy rules that are not customer configurable including Microsoft Office 365 and Radius.

Timeline

  • 2024-07-17 - Vulnerability was introduced as part of a standard Okta release

  • 2024-09-27 - Vulnerability identified and PSIRT activated

  • 2024-09-27 to 2024-10-03 - Development of patches and extensive testing

  • 2024-10-04 - All vulnerable products patched in production and preview