On Friday, Okta disclosed an unusual security vulnerability affecting its Active Directory (AD)/Lightweight Directory Access Protocol (LDAP) Delegated Authentication (DelAuth) feature. This flaw could, under specific conditions, allow a user to bypass password verification and authenticate using only a valid username with over 52 characters.
Conditions for Exploitation:
- Username Length: The username must exceed 52 characters.
- Cache State: The cache from a previous successful login must be available.
- Authentication Policy: The organization’s policy must not include added conditions, such as multi-factor authentication (MFA).
- Agent Status: The vulnerability could be triggered if the DelAuth agent is down or experiencing high traffic, leading to cache reliance.
Technical Details:
- Root Cause: The vulnerability stemmed from a flaw in how the cache key was generated using the Bcrypt algorithm. The combination of `userId + username + password` was hashed, but under specific circumstances, it allowed authentication without validating the password if cached data was accessed.
- Resolution: Okta switched the cryptographic algorithm from Bcrypt to PBKDF2 to address the issue.
- Affected Timeframe: The vulnerability was present from July 23, 2024, until it was fixed on October 30, 2024.
Recommendations:
Okta has advised affected customers to review their system logs from the past three months to identify any suspicious activity that might have taken advantage of this flaw.
This disclosure highlights the importance of thorough monitoring and having layered security measures such as MFA to mitigate vulnerabilities that could bypass basic authentication protocols.