web analytics

Okta’s ‘secure by design’ pledge suffers a buggy setback – Source: www.csoonline.com

Rate this post

Source: www.csoonline.com – Author:

Shweta Sharma

News

05 Nov 20244 mins

AuthenticationSecurityVulnerabilities

Okta’s AD/LDAP authentication flaw allows an attacker to login without a password.

With over 200 software vendors pledged to CISA’s “secure by design” principles and a number of them having already submitted their commitment progress reports, a few unfortunate goofs show that some are more committed than others.

The day before it published its progress report, Okta revealed that a bug in one of its identity and access management (IAM) solutions —AD/LDAP DelAuth — allowed attackers to log in without a password in certain circumstances.

“On October 30, 2024, a vulnerability was internally identified in generating the cache key for AD/LDAP DelAuth,” Okta warned users in an update. “Under a specific set of conditions this could allow users to authenticate by providing the username with the stored cache key of a previous successful authentication.”

The flaw is an obvious oversight of at least one of the seven commitments within CISA’s secure by design principles, which include enforcing multi factor authentication (MFA), reducing default passwords, reducing classes of vulnerability, applying security patches, vulnerability enumeration and disclosure, and evidence of intrusions.

Cache key generation isn’t secure by design

The vulnerability, which was introduced through a routine July 23, 2024 update, stems from Okta’s use of the Bcrypt algorithm to generate a cache key where it hashes a combined string of user id, username, and password.

In the case of usernames that were 52 characters long, or longer, the stored cache key from a previous successful login attempt allowed re-login, effectively bypassing the need for a password.

In addition to the long username, exploitation of the vulnerability required that MFA not be applied, for the authentication to occur between July 23 and October 30, 2024, and for the cache to be used first, which happens if the AD/LDAP agent is down or isn’t available because of high traffic.

Absence of MFA enforcement and secure authentication approaches constitute two counts of failure on Okta’s “secure by design” commitments. The good news, however, is that Okta fixed the vulnerability the same day it discovered it, and a patch was deployed within Okta’s production environment.

The fix replaced the Bcrypt algorithm with PBKDF2 for cache key generation.

Making progress

Okta published its secure by design progress report on October 31, noting it is has completed work on three of the seven high-level commitments and is working hard to complete work on the others by May 2025.

“We found it more challenging to be able to commit to achieving these goals in 100% of our products and operations,” David Bradbury, chief security officer at Okta, wrote in the report. “It has been a valuable exercise to hunt down and engineer solutions to those edge cases that prevent us from being able to state that we meet these goals without exception.”

In the report, Okta marked “On Track” against “Drive Adoption of MFA”, and “Completed” against “Reduce use of default passwords”. While “default passwords” apply only to the preset login credentials that manufacturers assign to device/ software, “implementing secure authentication approaches” is indicated as one of the strategies to enforce its reduction.

“All secrets generated in Okta cloud services are randomly generated,” Bradbury said. “This includes customer tenant encryption keys, client secrets or JWK key pairs for application integrations, temporary user passwords and API keys.” It is unclear if this applies to the generation of cache keys.

Bradbury added that Okta is on track with its secure by design commitments and would not be opposed to CISA expanding its list of goals and making it a multi-year program.

While leading vendors like Microsoft, Google, Cisco, Amazon Web Services, and IBM have all pledged to CISA’s “secure by design” principles, only a handful have submitted their first progress report since CISA announced its secure by design initiative in April 2023. Recently, Google and Fortinet submitted their reports which reflected a generic “work in progress” theme.

SUBSCRIBE TO OUR NEWSLETTER

From our editors straight to your inbox

Get started by entering your email address below.

Original Post url: https://www.csoonline.com/article/3599118/oktas-secure-by-design-pledge-suffers-a-buggy-setback.html

Category & Tags: Authentication, Security, Vulnerabilities – Authentication, Security, Vulnerabilities

Views: 2

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post