Demo Request
Take a personalized product tour with a member of our team to see how we can help make your existing security teams and tools more effective within minutes.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Home
Blog

Reco Security Labs - Okta Authentication Vulnerability Highlights Potential MFA Risk

Dvir Sasson
Updated
November 8, 2024
December 17, 2024
2 min read

On October 30, 2024, Okta resolved a vulnerability affecting the Active Directory (AD) and LDAP delegated authentication systems in their product. This flaw, introduced through a July 2024 update, could allow unauthorized access to Okta accounts under specific conditions (detailed below). 

The misconfiguration impacts users relying on AD/LDAP delegated authentication , highlighting potential security gaps for customers without Multi-Factor Authentication (MFA) enabled.

The Vulnerability

The vulnerability stemmed from an issue in generating cache keys used for authentication. Okta utilized Bcrypt, an encryption library used in various products and solutions, to hash a combined string of user ID, username, and password, creating a unique key for each login session. However, allowing unauthorized access if the cache key from a prior session was re-used under high network traffic or server downtime. This vulnerability was especially risky for organizations using AD/LDAP Delegated Authentication without MFA.

Exploit Conditions

For an attacker to exploit this flaw, the following conditions had to be met:

  • Use of Okta AD/LDAP delegated authentication without MFA
  • Username length of 52 or more characters
  • A successful prior authentication session using a cache
  • Network traffic causing AD/LDAP downtime, triggering cache usage

Okta’s Mitigation & Customer Recommendations

Okta addressed the vulnerability on October 30, 2024, by shifting from Bcrypt to PBKDF2 for cache key hashing. However, Okta urges all customers using AD/LDAP delegated authentication  to review system logs for unusual login attempts involving long usernames between July 23 and October 30. 

Additionally, implementing MFA and phishing-resistant authenticators, such as Okta Verify FastPass or FIDO2 WebAuthn, can significantly reduce future risk.

Reco’s Analysis

Reco suspects that Bcrypt was used originally in Auth0, which means a smaller number of customers were likely affected than originally suspected. Although this setup is less common (AD on prem delegated to Okta), it still means that threat actors could have gained direct, unobstructed access to your on-prem active directory straight to the domain controller.

How Reco Can Help

Reco’s Threat Detection and Response capabilities provide an additional layer of security that can significantly mitigate risks associated with misconfigurations like the recent Okta vulnerability. By continuously monitoring for suspicious authentication activities, Reco detects potential misconfigurations and unusual login patterns that could indicate compromised access, such as repeated login attempts with usernames that meet risky criteria (e.g., exceeding specific character limits).

Figure 1: Reco SaaS Security Platform Alerting on this Vulnerability

With real-time visibility across user interactions, Reco leverages advanced analytics and machine learning to detect and alert teams to deviations from typical access behavior, flagging potential unauthorized access attempts that might bypass traditional authentication methods. This capability is particularly effective for organizations relying on delegated authentication methods, as Recocontinuously inspects SaaS activity and enforces compliance with MFA and secure access protocols. (See Figure 1)

Integrating with your existing SIEM or SOAR, Reco allows security teams to swiftly lock out suspicious accounts, enforce additional authentication layers, and remediate misconfigurations.

To learn more about how Reco can help secure your SaaS applications request a demo.

ABOUT THE AUTHOR

Dvir Sasson

Dvir is the Director of Security Research Director, where he contributes a vast array of cybersecurity expertise gained over a decade in both offensive and defensive capacities. His areas of specialization include red team operations, incident response, security operations, governance, security research, threat intelligence, and safeguarding cloud environments. With certifications in CISSP and OSCP, Dvir is passionate about problem-solving, developing automation scripts in PowerShell and Python, and delving into the mechanics of breaking things.

Technical Review by:
Gal Nakash
Technical Review by:
Dvir Sasson

Dvir is the Director of Security Research Director, where he contributes a vast array of cybersecurity expertise gained over a decade in both offensive and defensive capacities. His areas of specialization include red team operations, incident response, security operations, governance, security research, threat intelligence, and safeguarding cloud environments. With certifications in CISSP and OSCP, Dvir is passionate about problem-solving, developing automation scripts in PowerShell and Python, and delving into the mechanics of breaking things.

Table of Contents
Get the Latest SaaS Security Insights
Subscribe to receive updates on the latest cyber security attacks and trends in SaaS Security.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.