Executive Summary

The discovery of CVE-2024-10327 presents a critical challenge for organizations utilizing Okta Verify for iOS. This vulnerability, affecting versions 9.25.1 (beta) and 9.27.0, poses a significant risk by allowing unauthorized authentication through the iOS ContextExtension feature. The flaw is particularly concerning as it enables authentication to proceed without user consent, potentially leading to unauthorized access to sensitive systems. While there have been no confirmed exploits in the wild, the potential impact necessitates immediate attention and remediation.

Technical Information

The vulnerability CVE-2024-10327 is rooted in the ContextExtension feature of Okta Verify for iOS, a mechanism designed to facilitate push notifications for multi-factor authentication (MFA). The flaw arises when push notification responses are processed in a manner that permits authentication to succeed regardless of the user's selection. This occurs when a user interacts with a notification banner on a locked or home screen, or even through an Apple Watch, without unlocking the device. The vulnerability is classified as Improper Authentication (CWE-287) and carries a CVSS v3 score of 8.1, indicating a high severity level. The vector string for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N, highlighting its potential to compromise confidentiality and integrity.

A critical pre-condition for exploitation is that the user must have enrolled in Okta Verify while the Okta customer was using Okta Classic, irrespective of any subsequent upgrade to the Okta Identity Engine. This underscores the importance of understanding the historical context of user enrollments and the configurations in place at the time of enrollment. The vulnerability was published on October 24, 2024, and has since been a focal point for security teams aiming to safeguard their authentication processes.

Exploitation in the Wild

To date, there have been no confirmed reports of CVE-2024-10327 being exploited in the wild. The absence of known exploits or associations with Advanced Persistent Threat (APT) groups provides some reassurance. However, the potential for unauthorized access remains a pressing concern, emphasizing the need for proactive measures to mitigate this vulnerability.

APT Groups using this vulnerability

Currently, there are no known APT groups exploiting CVE-2024-10327. The lack of active exploitation by threat actors should not lead to complacency, as the vulnerability's critical nature warrants vigilance and prompt remediation efforts.

Affected Product Versions

The affected versions of Okta Verify for iOS include version 9.25.1 (beta), available via Apple TestFlight from September 30, 2024, and version 9.27.0 (beta), available via Apple TestFlight from October 10, 2024. Additionally, version 9.27.0, released on the Apple App Store from October 21, 2024, is also impacted. Organizations using these versions should prioritize upgrading to mitigate the associated risks.

Workaround and Mitigation

To address CVE-2024-10327, organizations are strongly advised to upgrade to Okta Verify for iOS version 9.27.2 or later, available on the Apple App Store. This version resolves the vulnerability and restores the integrity of the authentication process. In addition to upgrading, organizations should conduct a thorough review of the Okta System Log to identify users with affected versions. Specific search queries can be utilized to pinpoint instances of unauthorized authentication attempts. Furthermore, cross-referencing associated IP addresses, geolocations, and ASNs against known legitimate user activity can help identify any deviations from normal behavior, providing an additional layer of security.

References

For further information and technical details, please refer to the following resources: Okta Security Advisory (https://trust.okta.com/security-advisories/okta-verify-for-ios-cve-2024-10327/) and NVD CVE Details (https://nvd.nist.gov/vuln/detail/CVE-2024-10327).

Rescana is here for you

At Rescana, we understand the complexities and challenges posed by vulnerabilities like CVE-2024-10327. Our Continuous Threat and Exposure Management (CTEM) platform is designed to help organizations navigate these challenges by providing comprehensive threat intelligence and exposure management solutions. We are committed to supporting our customers in safeguarding their digital assets and ensuring the security of their authentication processes. Should you have any questions about this report or any other cybersecurity concerns, please do not hesitate to contact us at ops@rescana.com. We are here to assist you in fortifying your security posture and mitigating potential risks.