Introduction

Okta, a widely recognized identity and access management service, is integral to safeguarding user authentication for organizations around the world. Known for its ability to streamline secure access to various applications and systems, Okta supports a broad range of authentication methods, including multi-factor authentication (MFA) and single sign-on (SSO). With millions of users and enterprises relying on Okta’s infrastructure for seamless and secure access, any discovered vulnerabilities have the potential for widespread implications.

However, vulnerabilities in such critical systems can pose significant security risks. Recently, two notable vulnerabilities have been discovered in Okta's products, sparking discussions in the cybersecurity community. This article examines these vulnerabilities in detail, focusing on their discovery, technical nature, affected product versions, impact, and recommended mitigation strategies.

1. CVE-2024-9191: Okta Verify Desktop MFA for Windows Password less Login

Overview and Description

CVE-2024-9191 is a high-severity vulnerability affecting the Okta Verify agent for Windows, particularly within the Okta Device Access feature used for password less logins. This vulnerability, discovered during routine penetration testing, enables attackers with access to a compromised device to retrieve user credentials. Specifically, attackers can exploit the Okta Device Access Pipe to obtain passwords linked to Desktop MFA password less logins.

Technical Details

• CVE ID: CVE-2024-9191
• Published Date: November 1, 2024
• Vulnerability Type: Insecure Interaction Between Components, Information Disclosure
• CWE: CWE-276 (Incorrect Default Permissions)
• CVSS v3 Score: 7.1 (High severity)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

The core of this vulnerability lies in the improper handling of permissions between components. The Okta Device Access Pipe, a mechanism designed to enable seamless communication between processes during password less authentication, does not enforce strict access controls. As a result, a local attacker who gains unauthorized access to a compromised device can leverage this pipe to extract sensitive information, such as user credentials.

Impact and Precondition

A precondition for exploiting this vulnerability is that the attacker must have local access to a compromised device. Users and systems leveraging the Okta Device Access password less feature are directly affected. Notably, users not employing the password less feature or those using Okta Verify on platforms other than Windows are not impacted. The issue does not affect customers utilizing only the FastPass functionality.

Affected Products and Versions

• Affected Versions: Okta Verify for Windows versions 5.0.2 to 5.3.2
• Unaffected Platforms: Okta Verify on non-Windows platforms and users relying exclusively on Fast Pass remain secure.

Timeline and Discovery

• April 17, 2024: Vulnerability introduced with the release of version 5.0.2.
• September 20, 2024: An Early Access (EA) version 5.3.3 is released, addressing the vulnerability.
• October 25, 2024: General Availability (GA) of version 5.3.3, remediating the issue for all customers.

Customer Recommendations

To mitigate this vulnerability, customers are advised to upgrade to Okta Verify for Windows version 5.3.3 or later. Implementing this version ensures that the permissions and access controls of the OktaDeviceAccessPipe are properly secured.

2. Okta AD/LDAP Delegated Authentication: Username Above 52 Characters Security Advisory

Overview and Description

On October 30, 2024, another vulnerability was internally identified, affecting the AD/LDAP delegated authentication (DelAuth) mechanism. This issue arises due to the generation of a cache key using the Bcrypt algorithm that hashes a combined string of userId, username, and password. Under specific conditions, users may authenticate using the cache key of a previously successful authentication by submitting a username exceeding 52 characters.

Technical Details

This vulnerability presents a potential security risk by allowing unauthorized access through cached keys. The nature of the Bcrypt-based cache key generation does not properly handle long usernames, which can lead to inadvertent reuse of authentication keys.

Affected Products and Versions

The vulnerability impacts systems configured to use AD/LDAP delegated authentication where usernames longer than 52 characters are involved. Enterprises using shorter usernames or different authentication methods may not be impacted by this specific issue.

Customer Recommendations

Organizations using the affected authentication configuration should revise their username policies or patch their Okta configurations as per the latest security advisories from Okta. Implementing updates and maintaining secure username handling practices can mitigate the risks associated with this vulnerability.

Security Measures for Vulnerability Mitigation and Future Protection

To mitigate vulnerabilities like those found in Okta’s products and strengthen future defenses, organizations should adopt the following key measures:

1. Regular Patching and Updates: Apply security patches promptly to fix known vulnerabilities and reduce the risk of exploitation.

2. Access Control Enhancements: Implement least privilege access, regularly review permissions, and use role-based access controls (RBAC) to protect sensitive systems.

3. Secure Configuration Management: Regularly audit system configurations and use automated tools to ensure secure settings are maintained.

4. Multi-Factor Authentication (MFA): Ensure MFA is enforced across all systems to provide an additional layer of protection beyond passwords.

5. Monitoring and Logging: Use real-time monitoring and logging to detect suspicious activity and respond quickly to potential threats.

6. Security Awareness and Training: Educate employees on secure credential handling, phishing prevention, and best practices for system access.

7. Incident Response Planning: Develop a robust incident response plan to quickly address breaches and minimize damage.

8. Future-Proofing with Secure Design: Incorporate secure coding practices, threat modeling, and regular security testing to prevent vulnerabilities in future updates.

By adopting these practices, organizations can better protect against current and future vulnerabilities in identity management systems.

Conclusion

While Okta remains a leader in identity and access management solutions, these vulnerabilities underscore the importance of continuous security assessments and timely updates. Organizations should remain vigilant, ensuring their Okta deployments are updated to the latest versions to prevent potential exploitation. By following the recommended practices and patching known issues, enterprises can maintain robust security postures and protect their critical assets.

Source

• Okta