Okta Patches Vulnerability Allowing Unauthorized Access

Identity and access management giant, Okta, recently addressed a vulnerability that could have allowed malicious actors with valid credentials to bypass critical security measures. The vulnerability, identified on September 27, 2024, resided in specific configurations within Okta Classic and stemmed from a release back in July.

“On September 27, 2024, a vulnerability was identified in specific Okta configurations whereby ​​an attacker with valid credentials could bypass configured conditions within application-specific sign-on policies,” Okta stated in their security advisory. These bypassed conditions could include crucial safeguards like network zones, device-type restrictions, and authentication requirements.

Essentially, this vulnerability could have granted unauthorized access to applications linked to compromised application sign-on policies. However, exploitation wasn’t a simple affair. Okta clarified that exploitation required a trifecta of conditions:

• Valid Credentials: The attacker needed a legitimate username and password.
• Application-Specific Policies: The organization had to be configured with application-specific sign-on policies.
• “Unknown” Device Type: The attacker needed to use a user-agent that Okta classified as an “unknown” device type, such as Python scripts or uncommon browsers.

Okta detailed the risk, stating: If the vulnerability was exploited, unauthorized access to applications associated with the application sign-on policies could be obtained.”

Thankfully, Okta swiftly addressed the vulnerability, resolving it in their production environment on October 4, 2024. But the story doesn’t end there. Okta urges potentially affected customers — those using Okta Classic as of July 17, 2024, and meeting the exploitation conditions — to investigate their systems proactively.

The company recommends a thorough review of Okta System Logs for any suspicious authentication attempts originating from “unknown” user-agents between July 17 and October 4, 2024. Okta provides a specific query for this purpose: outcome.result eq “SUCCESS” and (client.device eq “Unknown” OR client.device eq “unknown”) and eventType eq “user.authentication.sso”.

In addition to log analysis, Okta suggests further investigation:

• Expand the search: Look for similar activity prior to July 17, 2024, to establish baselines and identify anomalies.
• Unmask credential attacks: Investigate unsuccessful authentication attempts preceding successful ones, which could indicate credential stuffing or password spraying attacks.
• Behavioral analysis: Be on the lookout for any deviations from typical user behavior, such as unusual geolocations, IP addresses, access times, or ASNs.
• Prioritize critical applications: Pay close attention to applications with default, non-configurable policy rules, such as Microsoft Office 365 and Radius.

Related Posts:

• September Cyberattack Leaks Okta Employees’ Sensitive Data
• Data Breach at Okta Affects All Customer Support Users: Company Updates Scope
• Okta’s Security Breach Puts Businesses on Alert
• 1Password Detects Suspicious Activity Following Okta’s Breach Announcement
• Okta Patches Cross-Site Scripting Flaw (CVE-2024-0981) in Browser Plugin