CVE-2024-9875
📋 TL;DR
This CVE describes a privilege escalation vulnerability in Okta Privileged Access server agent (SFTD) when the sudo command bundles feature is enabled. Attackers could gain elevated privileges on affected systems. Organizations using Okta Privileged Access with SFTD agents versions 1.82.0 to 1.84.0 are affected.
💻 Affected Systems
- Okta Privileged Access server agent (SFTD)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain root/administrator access to servers, enabling complete system compromise, data theft, and lateral movement across the network.
Likely Case
Privileged users or attackers with initial access escalate to higher privileges, potentially accessing sensitive systems and data.
If Mitigated
With proper access controls and monitoring, impact is limited to specific systems where the vulnerable configuration is present.
🎯 Exploit Status
Requires sudo command bundles feature enabled and some level of initial access
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.87.1 or greater
Vendor Advisory: https://help.okta.com/asa/en-us/content/topics/releasenotes/advanced-server-access-release-notes.htm
Restart Required: Yes
Instructions:
1. Download Okta Privileged Access server agent version 1.87.1 or later. 2. Stop the SFTD service. 3. Install the updated agent. 4. Restart the SFTD service. 5. Verify the agent is running correctly.
🔧 Temporary Workarounds
Disable sudo command bundles
linuxTemporarily disable the vulnerable sudo command bundles feature until patching can be completed
# Edit SFTD configuration to disable sudo command bundles
# Consult Okta documentation for specific configuration changes
🧯 If You Can't Patch
- Disable sudo command bundles feature in SFTD configuration
- Implement strict access controls and monitoring for sudo usage on affected systems
🔍 How to Verify
Check if Vulnerable:
Check SFTD agent version and verify if sudo command bundles feature is enabledCheck Version:
sftd --versionVerify Fix Applied:
Verify SFTD agent version is 1.87.1 or higher and confirm successful agent operation📡 Detection & Monitoring
Log Indicators:
- Unusual sudo command executions
- SFTD agent errors or warnings
- Privilege escalation attempts in system logs
Network Indicators:
- Unusual SFTD agent communication patterns
SIEM Query:
source="sftd.log" AND ("privilege" OR "escalation" OR "sudo")