This issue was addressed in version 1.58.0 by deprecating the functionality of issuing remote commands over SSH. What these versions of the software are doing is warning the user when they visit a malicious link and trying to remotely execute an SSH command. GitHub users discovered this vulnerability and reported it to Brian (BENEFIT) and his team. What they did was create a specially crafted URL to launch a bash command on the system. When a victim visits that URL, they are sent to the Okta login page and are then warned that the URL they are visiting is malicious and is being blocked. But this warning happens only in the GitHub instance. The attacker can easily create a new instance on their own and can then get the URL to launch the attack.


This issue was addressed in version 1.58.0 by removing the functionality to set custom permissions for users via the Okta admin console. What these versions of the software are doing is preventing users from being able to set a custom permission for a user via the Okta admin console. GitHub users discovered this vulnerability and reported it to Brian (BENEFIT) and his team. They were able to use this exploit to take ownership of other user’s accounts.
What they did was set their own custom permissions on their account, then added themselves as an administrator under another user’s account. Then they used a command that gave them all privileges, including modifying or changing passwords for anyone else on Okta, which allowed them to do whatever they wanted with that account.

What you need to do to mitigate risk

The best way to mitigate risk is to change the default SSH port of 22. All servers should be manually changed to port 2222 so that attackers cannot remotely execute commands on your system. This will also require you to update all of your scripts and scripts that are using the openSSH libraries. Another way to mitigate risk is by not running any services where SSH can be used from localhost without a password (such as Apache or NGINX). You can also use Okta’s Multi-factor Authentication feature which uses RSA SecureID tokens.

What are the practical implications of this vulnerability?

The practical implications of this vulnerability are that Okta is not aware of any malicious activity on the GitHub instance. So, when an attacker launches a brute-force attack and then downloads the source code for the vulnerable application to analyze, they might be able to exploit it in ways that are not detected by Okta. If there was malicious activity on their instance, it would have been caught. Additionally, if an attacker were successful in exploiting this vulnerability and found a way to leverage this attack, they could create a new instance of the vulnerable application and take over the whole company's infrastructure.

Summary of Okta CVEs

This vulnerability is not an Okta specific issue because anyone who uses SSH and the company’s web application is vulnerable. However, Okta was able to fix this vulnerability quickly with an update to their software.
Okta has been in the industry for a long time and has had a lot of experience with the way hackers can exploit vulnerabilities. They know that the only way to keep their software secure is by monitoring it for potential security issues and releasing updates as soon as they are made aware of them.
Possible Mitigation
To mitigate this vulnerability, you would need to make sure you are visiting your site from within your company's network or from within your office if you don't have access to it. You would also need to add an extra layer of security so that hackers cannot launch attacks on your system from outside of your network. This could be done by using two-factor authentication or limiting which IP addresses are allowed through your firewall.


Published on: 03/23/2022 20:15:00 UTC
Last modified on: 04/01/2022 14:07:00 UTC