Okta Discloses Authentication Vulnerability in AD/LDAP DelAuth, Urges Customer Review

Okta Authentication Vulnerability

On October 30, 2024, Okta announced a critical security advisory addressing a vulnerability in its AD/LDAP Delegated Authentication (DelAuth) system. This flaw, which affects cache key generation, could allow unauthorized access under specific conditions. Okta’s advisory underscores the importance of user vigilance, particularly for customers with usernames exceeding 52 characters.

The vulnerability arises from how Okta’s system generated cache keys for AD/LDAP DelAuth. Using the Bcrypt algorithm, Okta combined “userId + username + password” to create these cache keys. Under certain conditions, users could authenticate using only the username if it matched a previously stored cache key. Okta notes, “A precondition for this vulnerability is that the username must be or exceed 52 characters any time a cache key is generated for the user.” This rare scenario opens up a window where cached keys from past successful authentications could allow login without a password.

Okta clarifies that this vulnerability only becomes exploitable when “the agent is down and cannot be reached OR there is high traffic,” as DelAuth will then prioritize cached keys. The advisory stresses the importance of investigating any suspicious access during the affected period, from July 23, 2024, to October 30, 2024. Okta swiftly resolved the issue in its production environment on October 30, 2024.

Okta encourages customers who meet the vulnerability’s preconditions to conduct a thorough review of their system logs for the specified period. This step is crucial for identifying any instances where this cache-key behavior may have been exploited.

Related Posts: