

























The Okta Device Access features, provided by the Okta Verify agent for Windows, provides access to the OktaDeviceAccessPipe, which enables attackers in a compromised device to retrieve passwords associated with Desktop MFA passwordless logins. The vulnerability was discovered via routine penetration testing.
Note: A precondition of this vulnerability is that the user must be using the Okta Device Access passwordless feature. Okta Device Access users not using passwordless are not affected, and customers only using Okta Verify on platforms other than Windows, or only using FastPass are not affected.
Customers using Okta Verify for Windows versions 5.0.2 to 5.3.2 are affected.
Okta Desktop MFA for Windows Passwordless Login
To remediate this vulnerability, upgrade Okta Verify for Windows to version 5.3.3 or greater.
The vulnerability is present in Okta Verify versions 5.0.2 to 5.3.2 and resolved in Okta Verify for Windows version 5.3.3.
2024-4-17 - Vulnerability introduced in version 5.0.2 (Release Notes)
2024-9-20 - Early Access (EA) version 5.3.3 release remediates vulnerability
2024-10-25 - Generally Available (GA) version 5.3.3 release remediates vulnerability
CVE ID | |
Published Date | November 1, 2024 |
Vulnerability Type | Insecure Interaction Between Components, Information Disclosure |
CWE | CWE-276 |
CVSS v3 | Score: 7.1 Vector string: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
Okta would like to thank Anvil Secure for discovering this vulnerability.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。