Okta has patched a critical vulnerability in its AD/LDAP Delegated Authentication system that could allow unauthorized access to accounts with usernames exceeding 52 characters. The flaw was internally discovered and affected the platform's cache key generation mechanism.
The vulnerability stemmed from the use of the Bcrypt algorithm to generate cache keys for AD/LDAP DelAuth authentication. The system creates these keys by hashing a combination of user ID, username, and password.
Under specific conditions, this implementation could permit authentication using only a username that matches a previously cached successful login attempt.
A precondition for this vulnerability is that the username must be or exceed 52 characters any time a cache key is generated for the user. - security advisory noted.
"The vulnerability can be exploited if the agent is down and cannot be reached OR there is high traffic," according to Okta's security advisory. In such scenarios, the Delegated Authentication system would prioritize cache lookups, potentially leading to unauthorized access.
Impact and Scope
The security flaw specifically impacts Okta AD/LDAP Delegated Authentication implementations where usernames are 52 characters or longer. While this prerequisite may limit the vulnerability's scope, organizations using lengthy usernames in their Active Directory or LDAP configurations could be particularly vulnerable.
The issue affects all Okta AD/LDAP DelAuth implementations deployed after July 23, 2024, when the vulnerability was inadvertently introduced during a routine platform update.
Resolution
Upon internal discovery, Okta's security team immediately addressed the vulnerability. The fix involved replacing the Bcrypt algorithm with PBKDF2 for cache key generation, effectively closing the security gap. The patch was deployed to Okta's production environment on the same day as discovery, October 30, 2024.