In late September 2024, Okta discovered a flaw affecting Okta Classic configurations, which allowed attackers with legitimate credentials to bypass certain application-level sign-on conditions. These conditions could involve specific policies related to device types, network zones, or authentication methods outside of global policies. The vulnerability was introduced during a software update in mid-July 2024 and was present until early October 2024.
‍
Exploiting this issue required:
Okta released a fix for this vulnerability on October 4, 2024.
‍
If your organization was using Okta Classic after July 17, 2024, you should take the following steps to confirm your system wasn’t compromised:
‍
Review Okta System Logs to identify any successful logins from devices flagged as “unknown” between July 17 and October 4, 2024. Okta provided the following query to search for this activity:
‍
*outcome.result eq "SUCCESS" and (client.device eq "Unknown" OR client.device eq "unknown") and eventType eq "user.authentication.sso"*
‍
Look for unusual patterns such as:
‍
Search for anomalies like:
‍
Focus on applications with fixed policy rules, including commonly used services like Microsoft Office 365 and Radius, as these applications may be particularly vulnerable.