CVE-2024-9191

Name of the Vulnerable Software and Affected Versions Okta Verify versions 5.0.2 through 5.3.2

Description The issue is related to the Okta Device Access feature in the Okta Verify agent for Windows, which provides access to the OktaDeviceAccessPipe. This allows attackers on a compromised device to retrieve passwords associated with Desktop MFA passwordless logins. The vulnerability was discovered via routine penetration testing. A precondition for this vulnerability is that the user must be using the Okta Device Access passwordless feature. Users not using passwordless and customers using Okta Verify on platforms other than Windows or only using FastPass are not affected.

Recommendations For Okta Verify versions 5.0.2 through 5.3.2, upgrade Okta Verify immediately to mitigate risks. As a temporary workaround, consider disabling the Okta Device Access passwordless feature until a patch is available. Restrict access to the OktaDeviceAccessPipe component to minimize the risk of exploitation. Avoid using the Okta Device Access feature for passwordless logins in Desktop MFA until the issue is resolved.