Alert essentials:
Okta corrected an error that could allow users to authenticate by providing only a username.
An upgrade that replaced Bcrypt encryption with PBKDF2 encryption was released on October 30th, 2024.
Be sure the latest version is installed.
Detailed threat description:
Cached keys from previous authentications could have been used to allow users to bypass the password requirement when logging into Okta. If the latest version hasn’t been deployed, this vulnerability still exists.
Previously, Bcrypt was used in Oktas AD/LDAP Delegated Authentication system. While a secure hashing algorithm, Bcrypt can only manage up to 72 bytes of input, and after the input length exceeds this limit, the excess will be truncated.
Okta cache keys were generated using a user ID, a username, and a password. If this combined input exceeded Bcrypt’s limit, the key would be truncated, potentially allowing users to bypass the password requirement and authenticate with an old, cached key.
The exploitation of the vulnerability required all the following pre-conditions be met:
- Okta AD/LDAP delegated authentication is used
- MFA is not applied
- The username is 52 characters or longer
- The user previously authenticated, creating a cache of the authentication
- The cache was used first, which can occur if the AD/LDAP agent was down or cannot be reached, for example, due to high network traffic
- The authentication occurred between July 23rd, 2024 and October 30th, 2024
It is not clear currently if there is any exploitation in the wild. Okta identified and remedied the critical vulnerability in their production environment on October 30th, 2024.
The vendor discontinued using Bcrypt for remediation and is now utilizing PBKDF2 encryption with a much longer output.
Impacts on healthcare organizations:
Patient safety and care delivery may be jeopardized without access to life-saving technology.
A network attack will remove access to technology and deter the ability to care for patients effectively.
Additionally, hackers’ access to private patient data opens the door for them to steal the information and either intentionally or unintentionally alter the data, which could severely affect patient health and outcomes.
Recommendations
Engineering recommendations:
- Be sure MFA is implemented
- If your instances of Okta meet the conditions above, the vulnerability may have been exploited in the environment
Leadership/ Program recommendations:
- With the above conditions met Okta recommends investigating the Okta System Logs for unexpected authentications from usernames greater than 52 characters between the period of July 23rd, 2024, to October 30th, 2024
- Okta also encourages customers to enroll in phishing-resistant authenticators to enforce phishing resistance and access all applications
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- https://trust.okta.com/security-advisories/okta-ad-ldap-delegated-authentication-username
- https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf
- https://www.darkreading.com/vulnerabilities-threats/okta-fixes-auth-bypass-bug-three-month-lull
- https://405d.hhs.gov/Documents/HICP-Main-508.pdf
