Okta patched a security flaw in AD/LDAP DelAuth affecting usernames over 52 characters
On October 30, 2024, Okta identified a security vulnerability in its AD/LDAP DelAuth product, specifically affecting usernames over 52 characters. The issue revolved around the use of the Bcrypt algorithm to generate a cache key, combining userId, username, and password. Under certain conditions, this flaw could allow users to authenticate with a stored cache key from a previous successful login.
The vulnerability impacted Okta AD/LDAP DelAuth versions from July 23, 2024, and was resolved in production on the same day it was identified. For exploitation to occur, several pre-conditions had to be met: the use of Okta AD/LDAP delegated authentication, absence of multi-factor authentication (MFA), a username of 52 characters or longer, a previously created authentication cache, and the cache being used first due to AD/LDAP agent unavailability.
Okta advises customers meeting these criteria to review their system logs for unexpected authentications from usernames exceeding 52 characters between July 23 and October 30, 2024. Additionally, Okta recommends implementing MFA as a baseline security measure for all users.