CVE-2024-7061
📋 TL;DR
Okta Verify for Windows is vulnerable to privilege escalation through DLL hijacking, allowing attackers to execute arbitrary code with elevated privileges. This affects all Windows users running Okta Verify versions before 5.0.2. Attackers need local access to exploit this vulnerability.
💻 Affected Systems
- Okta Verify for Windows
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise where an attacker gains SYSTEM-level privileges, installs persistent malware, accesses sensitive data, and moves laterally across the network.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install additional tools, and maintain persistence on compromised systems.
If Mitigated
Limited impact with proper endpoint protection, application whitelisting, and least privilege principles in place.
🎯 Exploit Status
Requires local access and ability to place malicious DLLs in specific directories. No public exploit code is known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.2 or greater
Vendor Advisory: https://trust.okta.com/security-advisories/okta-verify-for-windows-privilege-escalation-cve-2024-7061/
Restart Required: Yes
Instructions:
1. Download Okta Verify for Windows version 5.0.2 or later from Okta's official website. 2. Close Okta Verify if running. 3. Run the installer and follow prompts. 4. Restart the system to ensure all changes take effect.
🔧 Temporary Workarounds
Restrict DLL loading paths
windowsUse Windows policies to restrict where applications can load DLLs from
Use Group Policy to configure DLL search path restrictions
Application control policies
windowsImplement application whitelisting to prevent unauthorized DLL execution
Configure Windows Defender Application Control or AppLocker policies
🧯 If You Can't Patch
- Implement strict least privilege principles - ensure users don't have administrative rights
- Deploy endpoint detection and response (EDR) solutions to monitor for DLL hijacking attempts
🔍 How to Verify
Check if Vulnerable:
Check Okta Verify version in Windows Settings > Apps > Apps & features, or run 'wmic product where name="Okta Verify" get version' in command promptCheck Version:
wmic product where name="Okta Verify" get versionVerify Fix Applied:
Verify version is 5.0.2 or higher using the same methods, and test that Okta Verify functions normally after update📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing DLL loading from unusual paths
- Process Monitor logs showing Okta Verify loading DLLs from user-writable directories
Network Indicators:
- No network indicators as this is local exploitation
SIEM Query:
EventID=7 OR EventID=11 AND ProcessName="OktaVerify.exe" AND ImageLoaded contains user-writable path