Okta reports a vulnerability in the software Okta AD/LDAP DelAuth, which connects Okta to Active Directory or LDAP software used for logging in within an organization. The issue arises when a user’s username exceeds 52 characters.
This problem is due to the DelAuth cache system using the bcrypt function that only supports input for hashing up to 72 characters. The creation of the DelAuth cache key calls bcrypt(userID+username+password), so when the username is too long, only the userID and username are hashed. Okta resolved this vulnerability by switching to PBKDF2, which has no input length limitations as the data is always hashed.
To exploit this vulnerability, users must have logged in through DelAuth before to create a cache. They may then successfully log in if the agent is not working or if there are multiple login attempts, causing the system to use cached data.
Okta discovered and fixed this issue on its own.
Source – Okta
TLDR: Okta identified and resolved a vulnerability in the Okta AD/LDAP DelAuth software that arises when a user’s username exceeds 52 characters. The issue was due to limitations in the DelAuth cache system but has been fixed by using PBKDF2 instead of bcrypt.
Leave a Comment