Reco Security Labs - Okta Authentication Vulnerability Highlights Potential MFA Risk
On October 30, 2024, Okta resolved a vulnerability affecting the Active Directory (AD) and LDAP delegated authentication systems in their product. This flaw, introduced through a July 2024 update, could allow unauthorized access to Okta accounts under specific conditions (detailed below).
The misconfiguration impacts users relying on AD/LDAP delegated authentication , highlighting potential security gaps for customers without Multi-Factor Authentication (MFA) enabled.
The Vulnerability
The vulnerability stemmed from an issue in generating cache keys used for authentication. Okta utilized Bcrypt, an encryption library used in various products and solutions, to hash a combined string of user ID, username, and password, creating a unique key for each login session. However, allowing unauthorized access if the cache key from a prior session was re-used under high network traffic or server downtime. This vulnerability was especially risky for organizations using AD/LDAP Delegated Authentication without MFA.
Exploit Conditions
For an attacker to exploit this flaw, the following conditions had to be met:
- Use of Okta AD/LDAP delegated authentication without MFA
- Username length of 52 or more characters
- A successful prior authentication session using a cache
- Network traffic causing AD/LDAP downtime, triggering cache usage
Okta’s Mitigation & Customer Recommendations
Okta addressed the vulnerability on October 30, 2024, by shifting from Bcrypt to PBKDF2 for cache key hashing. However, Okta urges all customers using AD/LDAP delegated authentication to review system logs for unusual login attempts involving long usernames between July 23 and October 30.
Additionally, implementing MFA and phishing-resistant authenticators, such as Okta Verify FastPass or FIDO2 WebAuthn, can significantly reduce future risk.
Reco’s Analysis
Reco suspects that Bcrypt was used originally in Auth0, which means a smaller number of customers were likely affected than originally suspected. Although this setup is less common (AD on prem delegated to Okta), it still means that threat actors could have gained direct, unobstructed access to your on-prem active directory straight to the domain controller.
How Reco Can Help
Reco’s Threat Detection and Response capabilities provide an additional layer of security that can significantly mitigate risks associated with misconfigurations like the recent Okta vulnerability. By continuously monitoring for suspicious authentication activities, Reco detects potential misconfigurations and unusual login patterns that could indicate compromised access, such as repeated login attempts with usernames that meet risky criteria (e.g., exceeding specific character limits).
With real-time visibility across user interactions, Reco leverages advanced analytics and machine learning to detect and alert teams to deviations from typical access behavior, flagging potential unauthorized access attempts that might bypass traditional authentication methods. This capability is particularly effective for organizations relying on delegated authentication methods, as Recocontinuously inspects SaaS activity and enforces compliance with MFA and secure access protocols. (See Figure 1)
Integrating with your existing SIEM or SOAR, Reco allows security teams to swiftly lock out suspicious accounts, enforce additional authentication layers, and remediate misconfigurations.
To learn more about how Reco can help secure your SaaS applications request a demo.
Request a demo and explore Reco in action
ABOUT THE AUTHOR
Dvir Sasson
Dvir is the Director of Security Research Director, where he contributes a vast array of cybersecurity expertise gained over a decade in both offensive and defensive capacities. His areas of specialization include red team operations, incident response, security operations, governance, security research, threat intelligence, and safeguarding cloud environments. With certifications in CISSP and OSCP, Dvir is passionate about problem-solving, developing automation scripts in PowerShell and Python, and delving into the mechanics of breaking things.
Dvir is the Director of Security Research Director, where he contributes a vast array of cybersecurity expertise gained over a decade in both offensive and defensive capacities. His areas of specialization include red team operations, incident response, security operations, governance, security research, threat intelligence, and safeguarding cloud environments. With certifications in CISSP and OSCP, Dvir is passionate about problem-solving, developing automation scripts in PowerShell and Python, and delving into the mechanics of breaking things.