Okta urged its customers to check for exploitation of a recently patched sign-on policy bypass vulnerability for Okta Classic that could have resulted in unauthorized access to applications, especially if organizations had misconfigured or weak policies in place.
In an advisory to customers, Okta said exploitation required a combination of factors: valid credentials, use of application-specific sign-on policies, and an “unknown” user-agent, such as Python scripts or uncommon browser types.
Okta advised customers running Okta Classic to review the Okta System Log for unexpected authentications from user agents evaluated by Okta as “unknown” between July 17 and Oct. 4 — the day the bug was ultimately patched.
While Okta publicly reported that it services are used by 100 million users, it’s not clear how many of them still use Okta Classic. The upgrade — Okta Identity Engine — was released in January 2022. When contacted Oct. 7, an Okta spokesperson referred SC Media to what was reported in the company's most recent advisory.
Here’s what Okta recommended to Okta Classic customers:
- Start by searching for activity prior to July 17, 2024. If a user authenticated to the same application with the same "unknown" user-agent, this suggests that the more recent event was authorized.
- Search for unsuccessful authentication attempts that could indicate a credential-based attack immediately prior to a successful authentication event for the user. This suggests that the more recent event was not authorized.
- Look for activity that deviates from previous user behavior, such as unusual geolocations, IPs, time of access, or ASNs
- Pay attention to apps with default policy rules that are not customer configurable, including Microsoft Office 365 and Radius.
Jason Soroko, senior fellow at Sectigo, said Okta Classic users affected by the sign-on bypass vulnerability should take immediate action. Soroko agreed that teams should review their Okta System Logs between July 17 and Oct. 4 for any unexpected authentications from user-agents evaluated as “unknown.”
“Ensure all user accounts are secure and update your sign-on policies to reinforce authentication requirements,” said Soroko. “Implement multi-factor authentication for all users to enhance security. Stay informed through Okta’s official security advisories and promptly apply any recommended patches or configurations. If you detect suspicious activity, contact Okta support immediately for assistance.”
