🚨 #Vulnerability in #Okta AD/LDAP Delegated Authentication: Passwordless Authentication (under certain conditions) between July 23 and October 30, 2024 🚨
🔍 DESCRIPTION OF THE VULNERABILITY
The vulnerability results from the use of the Bcrypt key derivation function, which allows a cache key to be generated by combining: user ID + username + password.
Under certain conditions, a user could authenticate by providing only the username, relying on the cache key stored during a previous successful authentication.
⚠️ EXPLOITATION CONDITIONS
The username must be 52 characters or more, thus triggering the generation of the cache key.
Authentication service must be offline (agent disconnected) OR experiencing high traffic. This will result in the DelAuth (Delegated Authentication) hitting the cache first.
✅ RESOLUTION
Introduced on July 23, 2024 as a standard release, this vulnerability was discovered and patched by Okta on October 30, 2024 by replacing Bcrypt with PBKDF2.
📌 RECOMMENDATIONS
Organizations using Okta AD/LDAP DelAuth are advised to:
- Analyze system logs between July 23 and October 30, 2024 to identify any access attempts that may be related to this vulnerability.
- Contact Okta Support for further assistance.
🕒 TIMELINE
July 23, 2024: Vulnerability introduced as part of a standard Okta release.
October 30, 2024: Vulnerability discovered internally.
October 30, 2024: Vulnerability fixed by changing Bcrypt key derivation function to PBKDF2.
🔗 OKTA SECURITY ADVISORY: https://trust.okta.com/security-advisories/okta-ad-ldap-delegated-authentication-username/
Jeff Hall - PCIGuru 
MITRE ATT&CK