Okta Patches Vulnerability (CVE-2024-9191) in Verify Desktop MFA for Windows
Okta has addressed a high-severity vulnerability in its Okta Verify Desktop MFA for Windows that could have allowed attackers to steal user passwords. The flaw, tracked as CVE-2024-9191 and given a CVSS score of 7.1, impacted the passwordless login feature within Okta Device Access.
According to Okta’s security advisory, “The Okta Device Access features, provided by the Okta Verify agent for Windows, provides access to the OktaDeviceAccessPipe, which enables attackers in a compromised device to retrieve passwords associated with Desktop MFA passwordless logins.”
Essentially, if an attacker had already gained access to a user’s device, they could exploit this vulnerability to siphon off passwords stored by the Okta Verify agent. This could then lead to further compromise of the user’s Okta account and any connected applications.
The vulnerability was discovered through routine penetration testing by Anvil Secure, and Okta has credited them in their advisory. Importantly, the vulnerability only affected users who had specifically enabled the Okta Device Access passwordless login feature.
“A precondition of this vulnerability is that the user must be using the Okta Device Access passwordless feature,” Okta clarified. “Okta Device Access users not using passwordless are not affected, and customers only using Okta Verify on platforms other than Windows, or only using FastPass are not affected.”
Okta has released Okta Verify for Windows version 5.3.3 to address this vulnerability. Users with versions 5.0.2 to 5.3.2 are urged to upgrade immediately.