CVE-2024-9191 Overview
CVE-2024-9191 is an Insecure Permissions vulnerability affecting the Okta Device Access features provided by the Okta Verify agent for Windows. This vulnerability enables attackers who have already compromised a device to retrieve passwords associated with Desktop MFA passwordless logins through the OktaDeviceAccessPipe named pipe.
The vulnerability was discovered during routine penetration testing and impacts organizations using Okta's passwordless authentication workflows on Windows systems. Users who are not utilizing the Okta Device Access passwordless feature, those using Okta Verify on non-Windows platforms, or those only using FastPass are not affected.
Critical Impact
Attackers with local access to a compromised Windows device can extract user passwords associated with Desktop MFA passwordless logins, potentially enabling credential theft and lateral movement within enterprise environments.
Affected Products
- Okta Verify for Windows (versions prior to patched release)
Discovery Timeline
- 2024-11-01 - CVE-2024-9191 published to NVD
- 2024-11-05 - Last updated in NVD database
Technical Details for CVE-2024-9191
Vulnerability Analysis
This vulnerability stems from improper access controls (CWE-276: Incorrect Default Permissions) on the OktaDeviceAccessPipe named pipe used by the Okta Verify Windows agent. The named pipe facilitates communication for the Device Access passwordless feature but fails to implement adequate permission restrictions, allowing unauthorized local processes to interact with it.
When exploited, an attacker who has already gained a foothold on a Windows system can connect to this named pipe and retrieve sensitive credential information. The local attack vector requires the adversary to first compromise the target device through other means before exploiting this vulnerability to harvest passwords.
The impact is significant for enterprise environments relying on Okta's passwordless authentication, as successful exploitation could expose user credentials that were intended to be protected by the MFA workflow.
Root Cause
The root cause of CVE-2024-9191 is improper default permissions (CWE-276) configured on the OktaDeviceAccessPipe named pipe. The named pipe was accessible to local processes without sufficient authentication or authorization checks, enabling any process running on the compromised system to query and retrieve stored password information.
Named pipes are a common inter-process communication (IPC) mechanism in Windows, and when not properly secured with appropriate discretionary access control lists (DACLs), they can be exploited by malicious processes to access sensitive data or functionality.
Attack Vector
The attack vector is local, requiring the attacker to have already achieved code execution on the target Windows system. From this position, the attacker can:
- Enumerate available named pipes on the system
- Identify and connect to the OktaDeviceAccessPipe
- Send appropriate requests to retrieve stored password information
- Extract credentials associated with Desktop MFA passwordless logins
This vulnerability is exploitable post-compromise, making it valuable for attackers seeking to escalate their access or move laterally within an organization after initial system compromise.
Detection Methods for CVE-2024-9191
Indicators of Compromise
- Unexpected processes connecting to the OktaDeviceAccessPipe named pipe
- Suspicious named pipe enumeration activities on Windows systems running Okta Verify
- Anomalous process behavior involving Okta Verify-related files or pipes
- Authentication anomalies following potential credential theft
Detection Strategies
- Monitor named pipe access events using Windows Security Event Logs and Sysmon for connections to OktaDeviceAccessPipe
- Implement endpoint detection rules to identify suspicious processes interacting with Okta Verify components
- Deploy behavioral analytics to detect post-exploitation activities that may precede this vulnerability's exploitation
- Use SentinelOne's Storyline technology to correlate named pipe access with other suspicious system activities
Monitoring Recommendations
- Enable detailed Windows Security auditing for object access, specifically for named pipe operations
- Configure Sysmon with rules to capture named pipe connection events (Event ID 17 and 18)
- Implement centralized logging for all Okta Verify agent activities
- Establish baseline behaviors for legitimate Okta Verify operations to detect anomalies
How to Mitigate CVE-2024-9191
Immediate Actions Required
- Update Okta Verify for Windows to the latest patched version immediately
- Audit systems for signs of compromise, particularly those using Okta Device Access passwordless features
- Review authentication logs for anomalous activity that may indicate credential theft
- Consider temporarily disabling Okta Device Access passwordless features until patching is complete
Patch Information
Okta has released security updates to address this vulnerability. Organizations should consult the Okta OIE Release Notes and Okta Security Advisories for detailed patch information and upgrade instructions.
The patch addresses the improper permissions on the OktaDeviceAccessPipe by implementing proper access controls to prevent unauthorized processes from retrieving sensitive credential information.
Workarounds
- If immediate patching is not possible, consider disabling the Okta Device Access passwordless feature until the update can be applied
- Implement additional endpoint protection controls to detect and prevent post-compromise activities
- Restrict local administrative access on systems running Okta Verify to minimize the risk of initial compromise
- Monitor affected systems closely for indicators of compromise until patching is complete
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
