Okta recently fixed a flaw in its Classic platform that allowed attackers to bypass application-level sign-on conditions using valid credentials and an “unknown” device type. Although the issue has been resolved, organizations using Okta Classic should review their system logs for any unusual activity or unauthorized access.
In late September 2024, Okta discovered a flaw affecting Okta Classic configurations, which allowed attackers with legitimate credentials to bypass certain application-level sign-on conditions. These conditions could involve specific policies related to device types, network zones, or authentication methods outside of global policies. The vulnerability was introduced during a software update in mid-July 2024 and was present until early October 2024.
‍
Exploiting this issue required:
Okta released a fix for this vulnerability on October 4, 2024.
‍
If your organization was using Okta Classic after July 17, 2024, you should take the following steps to confirm your system wasn’t compromised:
‍
Review Okta System Logs to identify any successful logins from devices flagged as “unknown” between July 17 and October 4, 2024. Okta provided the following query to search for this activity:
‍
*outcome.result eq "SUCCESS" and (client.device eq "Unknown" OR client.device eq "unknown") and eventType eq "user.authentication.sso"*
‍
Look for unusual patterns such as:
‍
Search for anomalies like:
‍
Focus on applications with fixed policy rules, including commonly used services like Microsoft Office 365 and Radius, as these applications may be particularly vulnerable.
‍