Open Policy Agent (OPA) for Windows Vulnerability Risks Leaking NTLM Hashes

October 22, 2024

A vulnerability has been identified in Open Policy Agent (OPA) for Windows that could result in the leakage of authentication hashes. This flaw, which has been given the identifier CVE-2024-8260, affects all versions prior to v0.68.0. The issue arises from improper input validation, enabling attackers to manipulate OPA into accessing a harmful Server Message Block (SMB) share, potentially leading to credential leakage and exposure of sensitive system data.

As stated by the researchers at Tenable who uncovered the bug, "Successful exploitation can lead to unauthorised access by leaking the Net-NTLMv2 hash — or in lay terms, the credentials — of the user currently logged into the Windows device running the OPA application." This could potentially allow the attacker to relay authentication to other systems supporting NTLMv2 or perform offline cracking to retrieve the password.

OPA for Windows is widely used by organizations to enforce authorization and resource access policies across their software stack, which includes cloud native applications, microservices, and APIs. This technology enables organizations to ensure consistent policy automation and compliance across mixed Linux and Windows environments.

The vulnerability discovered by Tenable essentially allows attackers to coerce a vulnerable system to authenticate to an attacker's server, thereby sharing user credentials. The issue originates from older versions of OPA for Windows failing to properly verify the types of files it received. Ideally, OPA should only use Rego files for rules and policies related to decision making. However, Tenable found that due to improper validation, an attacker could substitute an arbitrary SMB share for a Rego file to the OPA Command Line Interface or one of its Go library functions. This could lead to credential leaks or execution of malicious logic, posing severe risks to system security and integrity.

An attacker exploiting CVE-2024-8260 to obtain an NTLM hash could use it in various ways, including authenticating to other systems and services, lateral movement, connecting to file shares, and attempting to extract the password. This vulnerability underscores the risks that organizations take on when using open source software and code.

Ari Eitan, director of Tenable Cloud Security Research, emphasized the importance of security in open-source projects, stating, "As open-source projects become integrated into widespread solutions, it is crucial to ensure they are secure and do not expose vendors and their customers to an increased attack surface." This discovery highlights the need for collaboration between security and engineering teams to mitigate such risks.

Latest News

• New Exploit Unveiled for Windows Server 'WinReg' NTLM Relay Attack
• Active Exploitation of Samsung Zero-Day Vulnerability: An Alert from Google's Threat Analysis Group
• VMware Issues New Security Update for Critical vCenter Server RCE Vulnerability
• F5 Patches High-Severity Vulnerabilities in BIG-IP and BIG-IQ Products
• New Speculative Execution Attacks Bypass Spectre Mitigations on Intel and AMD CPUs on Linux