AD/LDAP delegated authentication bypass - username above 52 characters

What Happened?

On October 30, 2024, a security flaw was detected in Okta’s AD/LDAP Delegated Authentication (DelAuth) service. This issue, linked to how cache keys were generated using Bcrypt, could potentially allow authentication bypasses when specific criteria were met. Under precise conditions, a user might authenticate by supplying a username 52 characters or more that corresponded with a cache key from a previous successful login.

‍

This flaw impacted Okta AD/LDAP DelAuth from July 23, 2024, until the fix was applied in production on October 30, 2024.

‍

Conditions for Exploitation

Exploitation of this vulnerability was only feasible when all of the following conditions were present:

• The organization was using Okta’s AD/LDAP DelAuth.
• No Multi-Factor Authentication (MFA) was enabled.
• The username was 52 characters or more.
• An earlier login by the user had been cached.
• The cached data was used instead of fresh authentication, which can occur if the AD/LDAP agent is unavailable due to high load or connectivity issues.

‍

Resolution

On October 30, 2024, Okta switched from Bcrypt to PBKDF2 for cache key generation, effectively addressing the vulnerability.

‍

Recommended Actions

If your organization relies on AD/LDAP DelAuth and meets the described conditions, it is recommended you take the following actions:

1. Log Review: Investigate Okta System Logs for any unexpected authentications involving usernames over 52 characters between July 23 and October 30, 2024.
2. Enable MFA: Ensure that MFA is in place for all users.
3. Adopt Phishing-Resistant Options: Consider enrolling users in advanced, phishing-resistant methods, such as Okta Verify FastPass, FIDO2 WebAuthn, or similar authenticators, to improve security.