A critical vulnerability was discovered in Okta’s AD/LDAP DelAuth solution, allowing attackers to log in without a password under specific circumstances. The bug, which was introduced through a routine July 23, 2024 update, stems from the use of the Bcrypt algorithm to generate cache keys.
The vulnerability exploited when usernames were 52 characters long or longer, bypassing the need for a password. To exploit the flaw, MFA must not be applied, and the authentication must occur during a specific time frame between July 23 and October 30, 2024, when the AD/LDAP agent is down due to high traffic.
However, Okta has since fixed the vulnerability by replacing the Bcrypt algorithm with PBKDF2 for cache key generation. The company published its secure by design progress report on October 31, noting it has completed work on three of the seven high-level commitments and plans to complete the remaining work by May 2025.
While Okta’s commitment to security is laudable, concerns remain about the implementation of MFA enforcement and secure authentication approaches. The company’s chief security officer acknowledged that achieving 100% compliance with the “secure by design” principles is a challenging task.
As leading vendors continue to pledge their support for CISA’s “secure by design” initiative, it is essential to monitor progress and address any shortcomings. Despite some challenges, Okta’s efforts demonstrate a commitment to improving its security posture, and the company should be commended for its prompt response to the identified vulnerability.
Source: https://www.csoonline.com/article/3599118/oktas-secure-by-design-pledge-suffers-a-buggy-setback.html