CVE/vulnerability

SMB Force-Authentication Vulnerability Impacts All OPA Versions For Windows

Open Policy Agent (OPA) recently patched a critical vulnerability that could have exposed NTLM credentials of the OPA server’s local user account to remote attackers, which was present in both the OPA CLI and Go SDK. 

By exploiting this flaw, attackers could have compromised the OPA server’s authentication mechanisms and potentially gained unauthorized access to sensitive resources.

The fix for this vulnerability is available in the latest release of OPA.

A critical vulnerability (CVE-2024-8260) was discovered in Open Policy Agent (OPA) for Windows. It allows attackers to exploit file-related arguments in the OPA CLI or Go package to inject arbitrary UNC shares. 

By doing so, attackers could steal the local user’s NTLM credentials, potentially leading to unauthorized access and password cracking. This issue affected all existing versions prior to v0.68.0, and a patch has been released to address the issue.

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

Open Policy Agent (OPA) is a versatile policy engine used for admission control in Kubernetes, among other applications, and employs a declarative policy language called Rego. 

While OPA offers an open-source version, it also has an Enterprise edition for high-performance scenarios. In this edition, policies can be fetched from various sources or passed directly to OPA. 

A potential vulnerability exists in the way policies are passed as arguments to OPA’s CLI or SDK functions. This could lead to unintended policy execution or the exposure of sensitive information.

NTLM credentials caught on the attacker’s side

Researchers discovered a vulnerability (CVE-2024-8260) in OPA for Windows that allows attackers to steal user credentials. The vulnerability exists due to improper input validation in OPA CLI and Go library functions. 

By providing a UNC path (pointing to a malicious server) instead of a policy file, they tricked OPA into initiating NTLM authentication with the attacker’s server, revealing the user’s NTLM hash. 

According to Tenable, this technique worked with various OPA CLI commands, including `eval`, `run`, and `eval -d`, as the vulnerability affects both Free and Enterprise editions of OPA. 

Simple Go code that abuses the vulnerability in the rego.LoadBundle function

The OPA Go SDK before version 0.68.0 contained vulnerabilities that could be exploited to trigger unauthorized network access.

These vulnerabilities were due to insufficient sanitization of input paths in functions like `rego.LoadBundle` and `AsBundle` within the `loader.go` package. 

By providing a Universal Naming Convention (UNC) path, an attacker could force the SDK to attempt to load a bundle from a remote share, potentially leading to unauthorized data access or execution of malicious code.

Version 0.68.0 resolved the issue by adding checks to prevent the use of UNC paths in these functions.

OPA’s loader.go – a package containing utilities for loading files into OPA – patched since v0.68.0

A vulnerability (CVE-2024-8260) in OPA for Windows before v0.68.0 allows attackers to leak local user credentials through the OPA CLI and Go SDK.

These are in the `github.com/open-policy-agent/opa/loader` package (all versions before v0.68.0) and handle policy and bundle file loading. 

To fix this, update the OPA CLI and Go SDK to the latest version (v0.68.0 or later). This highlights the importance of security collaboration with engineering teams to identify and mitigate vulnerabilities in widely used open-source projects. 

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Threat Actors Manipulate Search Results to Lure Users to Malicious Websites

Cybercriminals are increasingly exploiting search engine optimization (SEO) techniques and paid advertisements to manipulate search…

22 hours ago

Hackers Imitate Google Chrome Install Page on Google Play to Distribute Android Malware

Cybersecurity experts have unearthed an intricate cyber campaign that leverages deceptive websites posing as the…

22 hours ago

Dangling DNS Attack Allows Hackers to Take Over Organization’s Subdomain

Hackers are exploiting what's known as "Dangling DNS" records to take over corporate subdomains, posing…

22 hours ago

HelloKitty Ransomware Returns, Launching Attacks on Windows, Linux, and ESXi Environments

Security researchers and cybersecurity experts have recently uncovered new variants of the notorious HelloKitty ransomware,…

22 hours ago

RansomHub Ransomware Group Hits 84 Organizations as New Threat Actors Emerge

The RansomHub ransomware group has emerged as a significant danger, targeting a wide array of…

22 hours ago

Threat Actors Leverage Email Bombing to Evade Security Tools and Conceal Malicious Activity

Threat actors are increasingly using email bombing to bypass security protocols and facilitate further malicious…

2 days ago