Okta AD/LDAP Authentication Vulnerability Allows Unauthorized Access


Okta, a leading company in identity and access management, has recently addressed a critical vulnerability in its AD/LDAP Delegated Authentication system.

Okta’s security team internally discovered and promptly addressed the flaw, which could potentially allow unauthorized access to user accounts.

SIEM as a Service

The vulnerability, introduced on July 23, 2024, during a routine platform update, affected Okta’s cache key generation mechanism for AD/LDAP DelAuth authentication.

The issue stemmed from using the Bcrypt algorithm to create cache keys by hashing a combination of user ID, username, and password.

Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs

Okta AD/LDAP Authentication Vulnerability

The critical flaw specifically impacted usernames that were 52 characters or longer. Under certain conditions, this implementation could permit authentication using only a username that matched a previously cached successful login attempt, effectively bypassing the need for a password.

Two scenarios could potentially trigger the vulnerability:

  1. When the authentication agent was down and unreachable
  2. During periods of high traffic

In these situations, the Delegated Authentication system would prioritize cache lookups, potentially leading to unauthorized access.

While the prerequisite of 52 characters or longer usernames may limit the vulnerability’s scope, organizations using lengthy usernames in their Active Directory or LDAP configurations were particularly at risk.

The issue affected all Okta AD/LDAP DelAuth implementations deployed after July 23, 2024.

Upon internal discovery on October 30, 2024, Okta’s security team immediately addressed the vulnerability. The fix involved replacing the Bcrypt algorithm with PBKDF2 for cache key generation, effectively closing the security gap.

The patch was deployed to Okta’s production environment on the same day as the discovery.

Okta has urged affected customers to audit their system logs between July 23, 2024, and October 30, 2024, to identify potential unauthorized access attempts.

As organizations increasingly rely on cloud-based identity management solutions, this event highlights the critical need for vigilance and proactive security measures to protect sensitive user data and prevent unauthorized access to critical systems.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!



Source link