Tuesday, May 6, 2025
HomeCVE/vulnerabilitySMB Force-Authentication Vulnerability Impacts All OPA Versions For Windows

SMB Force-Authentication Vulnerability Impacts All OPA Versions For Windows

Published on

SIEM as a Service

Follow Us on Google News

Open Policy Agent (OPA) recently patched a critical vulnerability that could have exposed NTLM credentials of the OPA server’s local user account to remote attackers, which was present in both the OPA CLI and Go SDK. 

By exploiting this flaw, attackers could have compromised the OPA server’s authentication mechanisms and potentially gained unauthorized access to sensitive resources.

The fix for this vulnerability is available in the latest release of OPA.

- Advertisement - Google News

A critical vulnerability (CVE-2024-8260) was discovered in Open Policy Agent (OPA) for Windows. It allows attackers to exploit file-related arguments in the OPA CLI or Go package to inject arbitrary UNC shares. 

By doing so, attackers could steal the local user’s NTLM credentials, potentially leading to unauthorized access and password cracking. This issue affected all existing versions prior to v0.68.0, and a patch has been released to address the issue.

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

Open Policy Agent (OPA) is a versatile policy engine used for admission control in Kubernetes, among other applications, and employs a declarative policy language called Rego. 

While OPA offers an open-source version, it also has an Enterprise edition for high-performance scenarios. In this edition, policies can be fetched from various sources or passed directly to OPA. 

A potential vulnerability exists in the way policies are passed as arguments to OPA’s CLI or SDK functions. This could lead to unintended policy execution or the exposure of sensitive information.

NTLM credentials caught on the attacker’s side
NTLM credentials caught on the attacker’s side

Researchers discovered a vulnerability (CVE-2024-8260) in OPA for Windows that allows attackers to steal user credentials. The vulnerability exists due to improper input validation in OPA CLI and Go library functions. 

By providing a UNC path (pointing to a malicious server) instead of a policy file, they tricked OPA into initiating NTLM authentication with the attacker’s server, revealing the user’s NTLM hash. 

According to Tenable, this technique worked with various OPA CLI commands, including `eval`, `run`, and `eval -d`, as the vulnerability affects both Free and Enterprise editions of OPA. 

Simple Go code that abuses the vulnerability in the rego.LoadBundle function
Simple Go code that abuses the vulnerability in the rego.LoadBundle function

The OPA Go SDK before version 0.68.0 contained vulnerabilities that could be exploited to trigger unauthorized network access.

These vulnerabilities were due to insufficient sanitization of input paths in functions like `rego.LoadBundle` and `AsBundle` within the `loader.go` package. 

By providing a Universal Naming Convention (UNC) path, an attacker could force the SDK to attempt to load a bundle from a remote share, potentially leading to unauthorized data access or execution of malicious code.

Version 0.68.0 resolved the issue by adding checks to prevent the use of UNC paths in these functions.

OPA’s loader.go - a package containing utilities for loading files into OPA - patched since v0.68.0 
OPA’s loader.go – a package containing utilities for loading files into OPA – patched since v0.68.0 

A vulnerability (CVE-2024-8260) in OPA for Windows before v0.68.0 allows attackers to leak local user credentials through the OPA CLI and Go SDK.

These are in the `github.com/open-policy-agent/opa/loader` package (all versions before v0.68.0) and handle policy and bundle file loading. 

To fix this, update the OPA CLI and Go SDK to the latest version (v0.68.0 or later). This highlights the importance of security collaboration with engineering teams to identify and mitigate vulnerabilities in widely used open-source projects. 

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Signal App Used by Trump Associate Targeted in Security Breach

A major security scare has erupted in Washington after reports emerged that a Trump...

CISA Issues Alert on Langflow Vulnerability Actively Exploited in Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent alert regarding an actively...

Windows Deployment Services Hit by 0-Click UDP Flaw Leading to System Failures

A newly discovered pre-authentication denial-of-service (DoS) vulnerability in Microsoft’s Windows Deployment Services (WDS) exposes enterprise networks...

Critical Microsoft 0-Click Telnet Vulnerability Enables Credential Theft Without User Action

A critical vulnerability has been uncovered in Microsoft’s Telnet Client (telnet.exe), enabling attackers to...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Signal App Used by Trump Associate Targeted in Security Breach

A major security scare has erupted in Washington after reports emerged that a Trump...

CISA Issues Alert on Langflow Vulnerability Actively Exploited in Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent alert regarding an actively...

Windows Deployment Services Hit by 0-Click UDP Flaw Leading to System Failures

A newly discovered pre-authentication denial-of-service (DoS) vulnerability in Microsoft’s Windows Deployment Services (WDS) exposes enterprise networks...