Okta Verify Desktop MFA for Windows Passwordless Login CVE-2024-9191
Description
The Okta Device Access features, provided by the Okta Verify agent for Windows, provides access to the OktaDeviceAccessPipe, which enables attackers in a compromised device to retrieve passwords associated with Desktop MFA passwordless logins. The vulnerability was discovered via routine penetration testing.
Note: A precondition of this vulnerability is that the user must be using the Okta Device Access passwordless feature. Okta Device Access users not using passwordless are not affected, and customers only using Okta Verify on platforms other than Windows, or only using FastPass are not affected.
Affected product and versions
Customers using Okta Verify for Windows versions 5.0.2 to 5.3.2 are affected.
Okta Desktop MFA for Windows Passwordless Login
Customer Recommendations
To remediate this vulnerability, upgrade Okta Verify for Windows to version 5.3.3 or greater.
Resolution
The vulnerability is present in Okta Verify versions 5.0.2 to 5.3.2 and resolved in Okta Verify for Windows version 5.3.3.
Timeline
2024-4-17 - Vulnerability introduced in version 5.0.2 (Release Notes)
2024-9-20 - Early Access (EA) version 5.3.3 release remediates vulnerability
2024-10-25 - Generally Available (GA) version 5.3.3 release remediates vulnerability
CVE details
CVE ID | |
Published Date | November 1, 2024 |
Vulnerability Type | Insecure Interaction Between Components, Information Disclosure |
CWE | CWE-276 |
CVSS v3 | Score: 7.1 Vector string: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
Acknowledgments
Okta would like to thank Anvil Secure for discovering this vulnerability.