Red Hat NetworkManager Flaw Allows Hackers to Gain Root Access

A recently discovered vulnerability in Red Hat’s NetworkManager, CVE-2024-8260, has raised concerns in the cybersecurity community because it could allow unauthorized users to gain root access.

This security flaw, publicly disclosed on August 30, 2024, and last modified on September 19, 2024, has been classified as moderately severe and assigned a Common Vulnerability Scoring System (CVSS) score of 6.1.

Vulnerability Details

The flaw is described as an SMB (Server Message Block) force-authentication vulnerability that affects all versions of the Open Policy Agent (OPA) for Windows before version 0.68.0.

The core issue stems from improper input validation within the OPA CLI and its Go library functions.

National Cybersecurity Awareness Month Cyber Challenges – Test your Skills Now

This vulnerability allows an attacker to pass an arbitrary SMB share instead of a Rego file, potentially leading to unauthorized access to sensitive data or resources.

The vulnerability is categorized under CWE-294, which involves authentication bypass by capture-replay.

It exploits the mechanism where a user or application attempts to access a remote share on Windows, forcing the local machine to authenticate to the remote server via NTLM (New Technology LAN Manager).

During this process, the NTLM hash of the local user is sent to the remote server, which attackers can capture and potentially use for further malicious activities such as relay attacks or offline password cracking.

The impact of this vulnerability is considered moderate due to its specific exploitation requirements.

Successful exploitation requires direct access to the OPA CLI or its Go library functions and the ability to influence the arguments passed to these components. Although this limits the attack vector, if exploited, it could lead to unauthorized access or manipulation of data.

According to Red Hat’s report, no straightforward mitigation strategies meet Red Hat’s criteria for ease of use and deployment across a widespread installation base.

However, temporary workarounds include restricting access to the OPA CLI and its functions by implementing strict access controls and ensuring only authorized users can execute commands interacting with SMB shares.

Additionally, validating inputs to ensure only legitimate Rego files are processed can help mitigate risks until a permanent solution is available.

Users are strongly advised to upgrade to OPA version 0.68.0 or later, where this vulnerability has been addressed following responsible disclosure on June 19, 2024.

Organizations should also minimize public exposure of services unless necessary and continuously monitor for suspicious activities that could indicate exploitation attempts.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here