Reco Security Labs - Okta Authentication Vulnerability Highlights Potential MFA Risk

On October 30, 2024, Okta resolved a vulnerability affecting the Active Directory (AD) and LDAP delegated authentication systems in their product. This flaw, introduced through a July 2024 update, could allow unauthorized access to Okta accounts under specific conditions (detailed below). 

The misconfiguration impacts users relying on AD/LDAP delegated authentication , highlighting potential security gaps for customers without Multi-Factor Authentication (MFA) enabled.

‍

The Vulnerability

‍

The vulnerability stemmed from an issue in generating cache keys used for authentication. Okta utilized Bcrypt, an encryption library used in various products and solutions, to hash a combined string of user ID, username, and password, creating a unique key for each login session. However, allowing unauthorized access if the cache key from a prior session was re-used under high network traffic or server downtime. This vulnerability was especially risky for organizations using AD/LDAP Delegated Authentication without MFA.

‍

Exploit Conditions

‍

For an attacker to exploit this flaw, the following conditions had to be met:

• Use of Okta AD/LDAP delegated authentication without MFA
• Username length of 52 or more characters
• A successful prior authentication session using a cache
• Network traffic causing AD/LDAP downtime, triggering cache usage

‍

Okta’s Mitigation & Customer Recommendations

‍

Okta addressed the vulnerability on October 30, 2024, by shifting from Bcrypt to PBKDF2 for cache key hashing. However, Okta urges all customers using AD/LDAP delegated authentication  to review system logs for unusual login attempts involving long usernames between July 23 and October 30. 

Additionally, implementing MFA and phishing-resistant authenticators, such as Okta Verify FastPass or FIDO2 WebAuthn, can significantly reduce future risk.

‍

Reco’s Analysis

‍

Reco suspects that Bcrypt was used originally in Auth0, which means a smaller number of customers were likely affected than originally suspected. Although this setup is less common (AD on prem delegated to Okta), it still means that threat actors could have gained direct, unobstructed access to your on-prem active directory straight to the domain controller.

‍

How Reco Can Help

‍

Reco’s Threat Detection and Response capabilities provide an additional layer of security that can significantly mitigate risks associated with misconfigurations like the recent Okta vulnerability. By continuously monitoring for suspicious authentication activities, Reco detects potential misconfigurations and unusual login patterns that could indicate compromised access, such as repeated login attempts with usernames that meet risky criteria (e.g., exceeding specific character limits).

‍

‍

With real-time visibility across user interactions, Reco leverages advanced analytics and machine learning to detect and alert teams to deviations from typical access behavior, flagging potential unauthorized access attempts that might bypass traditional authentication methods. This capability is particularly effective for organizations relying on delegated authentication methods, as Recocontinuously inspects SaaS activity and enforces compliance with MFA and secure access protocols. (See Figure 1)

‍

Integrating with your existing SIEM or SOAR, Reco allows security teams to swiftly lock out suspicious accounts, enforce additional authentication layers, and remediate misconfigurations.

‍

To learn more about how Reco can help secure your SaaS applications request a demo.

‍