CVE-2024-10327 – This vulnerability in Okta Verify for iOS allow... (How to Fix)

Q: What is the severity of CVE-2024-10327?

CVE-2024-10327 has a CVSS score of 8.1 (HIGH). This vulnerability in Okta Verify for iOS allows attackers to bypass push notification authentication by exploiting the iOS ContextExtension feature. When users interact with push notifications (on locked screens, home screens, or Apple Watch), both accept and deny options incorrectly allow authentication to succeed. Only users who enrolled in Okta Verify while their organization used Okta Classic are affected, regardless of subsequent upgrades to Okta Identity Engine.

📋 TL;DR

This vulnerability in Okta Verify for iOS allows attackers to bypass push notification authentication by exploiting the iOS ContextExtension feature. When users interact with push notifications (on locked screens, home screens, or Apple Watch), both accept and deny options incorrectly allow authentication to succeed. Only users who enrolled in Okta Verify while their organization used Okta Classic are affected, regardless of subsequent upgrades to Okta Identity Engine.

💻 Affected Systems

Products:

Okta Verify for iOS

Versions: 9.25.1 (beta) through 9.27.0 (including beta)

Operating Systems: iOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects users who enrolled while their organization used Okta Classic. Does not affect Android or other platforms.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain unauthorized access to protected systems and data by bypassing multi-factor authentication, potentially leading to account takeover, data breaches, and lateral movement within networks.

🟠

Likely Case

Targeted attackers exploit this to compromise specific high-value accounts by intercepting or triggering push notifications, then using the vulnerability to authenticate regardless of user response.

🟢

If Mitigated

With proper network segmentation, monitoring, and quick patching, impact is limited to isolated incidents with rapid detection and containment.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to trigger push notifications to target devices and knowledge of vulnerable enrollment conditions. No public exploit code known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.28.0 and later

Vendor Advisory: https://trust.okta.com/security-advisories/okta-verify-for-ios-cve-2024-10327/

Restart Required: No

Instructions:

1. Update Okta Verify for iOS to version 9.28.0 or later via the App Store. 2. Verify update completion by checking app version in settings. 3. No device restart required.

🔧 Temporary Workarounds

Disable ContextExtension Push Notifications

all

Temporarily disable the vulnerable push notification mechanism in Okta admin console

Navigate to Okta admin console > Security > Authentication > Okta Verify > Push Notification Settings > Disable ContextExtension feature

Require Additional Authentication Factors

all

Implement additional authentication requirements for high-risk access

Configure conditional access policies to require additional factors for sensitive applications

🧯 If You Can't Patch

Identify and monitor users enrolled during Okta Classic period for suspicious authentication attempts
Implement network segmentation to limit access from potentially compromised accounts

🔍 How to Verify

Check if Vulnerable:

Check Okta Verify iOS app version in Settings > General > About. If version is between 9.25.1 and 9.27.0 (inclusive), and user enrolled during Okta Classic period, system is vulnerable.

Check Version:

On iOS device: Settings > General > About > Applications > Okta Verify

Verify Fix Applied:

Confirm Okta Verify iOS app version is 9.28.0 or later. Test push notification authentication to verify both accept and deny options work correctly.

📡 Detection & Monitoring

Log Indicators:

Multiple failed push notifications followed by successful authentication from same device
Authentication events where push response time is abnormally fast
Authentication from devices with vulnerable Okta Verify versions

Network Indicators:

Authentication requests originating from unexpected locations shortly after push notifications
Pattern of authentication attempts during off-hours

SIEM Query:

source="okta" event_type="user.authentication.auth_via_mfa" mfa_factor_type="push" result="SUCCESS" | where app_version matches "9.2[5-7].*" | stats count by user device

📊 Metadata

CVE ID: CVE-2024-10327

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE: CWE-287

Published: October 24, 2024

Last Updated: October 25, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10327, you might also want to check these: