SMB Force-Authentication Vulnerability Impacts All OPA Versions For Windows

Open Policy Agent (OPA) recently patched a critical vulnerability that could have exposed NTLM credentials of the OPA server’s local user account to remote attackers, which was present in both the OPA CLI and Go SDK. 

By exploiting this flaw, attackers could have compromised the OPA server’s authentication mechanisms and potentially gained unauthorized access to sensitive resources.

The fix for this vulnerability is available in the latest release of OPA.

- Advertisement -

A critical vulnerability (CVE-2024-8260) was discovered in Open Policy Agent (OPA) for Windows. It allows attackers to exploit file-related arguments in the OPA CLI or Go package to inject arbitrary UNC shares. 

By doing so, attackers could steal the local user’s NTLM credentials, potentially leading to unauthorized access and password cracking. This issue affected all existing versions prior to v0.68.0, and a patch has been released to address the issue.

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

Open Policy Agent (OPA) is a versatile policy engine used for admission control in Kubernetes, among other applications, and employs a declarative policy language called Rego. 

While OPA offers an open-source version, it also has an Enterprise edition for high-performance scenarios. In this edition, policies can be fetched from various sources or passed directly to OPA. 

A potential vulnerability exists in the way policies are passed as arguments to OPA’s CLI or SDK functions. This could lead to unintended policy execution or the exposure of sensitive information.

Researchers discovered a vulnerability (CVE-2024-8260) in OPA for Windows that allows attackers to steal user credentials. The vulnerability exists due to improper input validation in OPA CLI and Go library functions. 

By providing a UNC path (pointing to a malicious server) instead of a policy file, they tricked OPA into initiating NTLM authentication with the attacker’s server, revealing the user’s NTLM hash. 

According to Tenable, this technique worked with various OPA CLI commands, including `eval`, `run`, and `eval -d`, as the vulnerability affects both Free and Enterprise editions of OPA. 

The OPA Go SDK before version 0.68.0 contained vulnerabilities that could be exploited to trigger unauthorized network access.

These vulnerabilities were due to insufficient sanitization of input paths in functions like `rego.LoadBundle` and `AsBundle` within the `loader.go` package. 

By providing a Universal Naming Convention (UNC) path, an attacker could force the SDK to attempt to load a bundle from a remote share, potentially leading to unauthorized data access or execution of malicious code.

Version 0.68.0 resolved the issue by adding checks to prevent the use of UNC paths in these functions.

A vulnerability (CVE-2024-8260) in OPA for Windows before v0.68.0 allows attackers to leak local user credentials through the OPA CLI and Go SDK.

These are in the `github.com/open-policy-agent/opa/loader` package (all versions before v0.68.0) and handle policy and bundle file loading. 

To fix this, update the OPA CLI and Go SDK to the latest version (v0.68.0 or later). This highlights the importance of security collaboration with engineering teams to identify and mitigate vulnerabilities in widely used open-source projects. 

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!