CVE-2024-9191: 
NixOS vulnerability analysis and mitigation

The vulnerability (CVE-2024-9191) affects the Okta Device Access features in Okta Verify agent for Windows. Discovered through routine penetration testing, this high-severity vulnerability allows attackers on a compromised device to retrieve passwords associated with Desktop MFA passwordless logins through the OktaDeviceAccessPipe. The vulnerability specifically impacts versions 5.0.2 to 5.3.2 of Okta Verify for Windows, but only affects users who have enabled the Okta Device Access passwordless feature (NVD, Security Online).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) by NIST and 7.1 (High) by Okta. The CVSS vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements, low attack complexity, and high impacts on confidentiality, integrity, and availability. The vulnerability is classified under CWE-276 (Incorrect Default Permissions) (NVD).

If exploited, the vulnerability allows attackers who have already compromised a device to access passwords stored for Desktop MFA passwordless logins. This could potentially lead to unauthorized access to the user's Okta account and any connected applications (Security Online).

Okta has released version 5.3.3 of Okta Verify for Windows to address this vulnerability. Users running versions 5.0.2 to 5.3.2 are strongly advised to upgrade immediately to the latest version (Security Online).

The vulnerability was discovered through routine penetration testing by Anvil Secure, who has been credited in Okta's advisory (Security Online).