Key Takeaways
- Okta found a flaw in AD/LDAP Delegated Authentication that permitted users to log in using just their username if it contained more than fifty-two characters.
- By switching to PBKDF2, Okta’s manufacturing was able to resolve the issue, which had existed from July 23 until October 30, 2024.
- It is recommended that impacted clients examine system logs in order to identify any possible exploits during this time.
If the login is more than fifty-two characters, a flaw in Okta permitted access without a password.
Okta discovered a security flaw in their AD/LDAP Delegated Authentication (DelAuth) system on October 30, 2024, which affected accounts with usernames longer than fifty-two characters. This vulnerability, which was discovered internally in July 2024, permitted authentication with just the username and no password in some scenarios, like periods of high traffic or agent outages.
The problem was with Okta’s cache key generation, which used the Bcrypt technique to hash a userID, username, and password combination. Because the cache key from previous successful logins was retained, this configuration allowed possible access to accounts with longer usernames. Okta stated in its article that it resolved the issue by using the PBKDF2 cryptographic technique instead of the original hashing process.
For users that met certain requirements, the vulnerability affected Okta’s AD/LDAP delegates authentication. In order to exploit it, usernames had to be longer than fifty-two characters, and authentication requests had to hit a key that had been cached from earlier sessions. No other authentication factors were needed. Customers have been recommended by Okta to examine system logs from July 23 to October 30, 2024, in order to spot any possible abuse of this vulnerability.
Okta stresses the significance of examining the configurations and system logs of clients with high-traffic configurations or authentication policies that do not impose extra security layers, including multi-factor authentication (MFA). These configurations might be more vulnerable to exploits of this flaw.
Okta is highlighting steps to improve security in its most recent security warnings. While MFA can help reduce risks, Okta’s approach makes sure that cached keys are more secure against possible attacks. Notifications of advisory updates and resolution actions are now sent to customers in greater detail.
This vulnerability is not the first that Okta has encountered recently. The business suffered a data leak from its systems earlier this year. Okta had to reevaluate all of its clients when another hack occurred last year.
