Leading identity and access management platform recently announced a critical security update to address vulnerabilities in its () and Lightweight Directory Access Protocol () delegation authentication mechanisms. The vulnerability was internally discovered and resolved on 年 月 日, raising concerns among organizations that rely on for secure user authentication, as it could potentially allow unauthorized access under certain conditions.

使用长秘密不安全？
该漏洞出现在 Okta 的缓存机制中，具体来说，它使用 Bcrypt 算法为 AD/LDAP 委托身份验证 (DelAuth) 生成缓存密钥。当在特定情况下使用超长用户名（52 个字符或以上）时，它为用户提供了一个机会，让用户使用之前会话中存储的缓存密钥进行身份验证。这意味着，在满足某些条件的情况下，用户可以登录，而基本上不需要重新进行身份验证检查。

To exploit this vulnerability, several factors must be met, including:

• Authentication enabled / delegated;
• Multi-factor authentication not used ();
• The user has previously authenticated using a username exceeding characters;
• Due to downtime or excessive network traffic, the proxy is temporarily inaccessible.

The vulnerability may have affected a limited number of users between [Month] [Day], [Year] and [Month] [Day], [Year], which is the time frame during which the issue emerged and was eventually resolved. Subsequently, [Company/Organization] has transitioned from [Old Algorithm] to a more suitable encryption algorithm, [New Algorithm], to prevent future inconsistencies in cache keys.

Urging customers meeting the prerequisites of this vulnerability to check their system logs for any unexpected authentication involving usernames longer than the specified number of characters within the designated time frame. Also emphasizing the importance of enabling in all applications and encouraging users to implement anti-phishing authenticators such as , or smart cards to enhance security.

Okta 产品的更多修复
除了 DelAuth 缓存密钥漏洞外，Okta 还解决了另一个安全漏洞CVE-2024-9191，该漏洞影响通过 Okta Verify Desktop MFA 进行的 Windows 无密码登录。此漏洞是在常规渗透测试期间发现的，可能允许受感染设备上的攻击者检索无密码登录过程中使用的凭据。该问题影响了 Okta Verify for Windows 版本 5.0.2 至 5.3.2 的用户。

Customers using affected versions are advised to upgrade to .. or later, which includes a patch for the vulnerability. It is important to note that only users employing the passwordless feature are at risk, as other configurations and platforms are unaffected.

Another recently disclosed vulnerability affecting users of the "classic" configuration is also worth investigating. This separate issue was addressed earlier this month and could potentially allow attackers with valid credentials to bypass specific login policies for highly sensitive applications.