CVE-2024-9191
📋 TL;DR
This vulnerability allows attackers with access to a compromised Windows device to retrieve passwords associated with Desktop MFA passwordless logins via the OktaDeviceAccessPipe. Only users of Okta Device Access passwordless feature on Windows are affected; other platforms and non-passwordless users are not vulnerable.
💻 Affected Systems
- Okta Verify agent for Windows
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of passwordless login credentials, enabling unauthorized access to Okta-protected resources and potential lateral movement within the organization.
Likely Case
Credential theft from compromised Windows endpoints, leading to unauthorized access to applications and services protected by Okta passwordless authentication.
If Mitigated
Limited impact if endpoint security controls detect and prevent unauthorized access to the OktaDeviceAccessPipe or if passwordless feature is disabled.
🎯 Exploit Status
Requires local access to a compromised Windows device where the user has passwordless logins configured. Discovered via routine penetration testing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Okta release notes for specific fixed version
Vendor Advisory: https://trust.okta.com/security-advisories/
Restart Required: Yes
Instructions:
1. Review Okta release notes for fixed version. 2. Update Okta Verify agent for Windows to the patched version. 3. Restart affected Windows devices.
🔧 Temporary Workarounds
Disable Passwordless Feature
windowsTemporarily disable Okta Device Access passwordless logins on Windows endpoints
Configure via Okta admin console: Security > Authenticators > Device Access > Disable passwordless for Windows
Restrict Pipe Access
windowsApply Windows security policies to restrict access to OktaDeviceAccessPipe
Use Windows Security Policy or PowerShell to set restrictive ACLs on \\.\pipe\OktaDeviceAccessPipe
🧯 If You Can't Patch
- Disable Okta Device Access passwordless feature on all Windows endpoints
- Implement enhanced endpoint detection and response (EDR) to monitor for unauthorized access to named pipes
🔍 How to Verify
Check if Vulnerable:
Check if Okta Verify agent for Windows is installed and passwordless feature is enabled on the deviceCheck Version:
Check Okta Verify agent version in Windows Programs and Features or via command: wmic product where name="Okta Verify" get versionVerify Fix Applied:
Verify Okta Verify agent version matches or exceeds the patched version listed in Okta advisory📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to OktaDeviceAccessPipe in Windows security logs
- Failed or successful authentication events from unexpected locations after credential theft
Network Indicators:
- Authentication requests from compromised endpoints to Okta services
SIEM Query:
Example: Windows Event ID 4656 with object name containing 'OktaDeviceAccessPipe' from non-admin users