New information has come to light regarding a recently-fixed security loophole in Styra’s Open Policy Agent (OPA). This flaw, if successfully utilized, could have exposed New Technology LAN Manager (NTLM) hashes.
“An attacker could potentially leak the NTLM credentials of the OPA server’s local user account to an external server, paving the way for the attacker to either relay the authentication or crack the password,” a report from cybersecurity company Tenable revealed, as shared with The Hacker News.
The security issue, identified as a Server Message Block (SMB) force-authentication vulnerability and assigned CVE-2024-8260 (CVSS score: 6.1/7.3), impacts both the CLI and Go software development kit (SDK) for Windows.
Primarily, the root cause of the problem lies in inadequate input validation, allowing unauthorized access by revealing the Net-NTLMv2 hash of the logged-in user of the Windows device operating the OPA application.
However, for this exploitation to succeed, the target must possess the ability to initiate outbound Server Message Block (SMB) traffic over port 445. Highlighted below are some other conditions that contribute to the moderate severity of the issue –
- An initial foothold in the environment or manipulation of a user, facilitating the launch of the OPA CLI
- Submission of a Universal Naming Convention (UNC) path instead of a Rego rule file when providing input to the OPA CLI or the OPA Go library’s functionalities
The credentials obtained through this method could be weaponized to execute a relay attack to bypass authentication or conduct offline decryption to retrieve the password.
“When a user or application tries to access a remote Windows share, it triggers the local device to authenticate with the remote server using NTLM,” explained Tenable security researcher Shelly Raban.
“Through this process, the NTLM hash of the local user is transmitted to the remote server. An attacker can exploit this mechanism to capture the credentials, granting them the ability to either relay the authentication or decrypt the hashes offline.”
Following responsible disclosure on June 19, 2024, the vulnerability was remedied in version 0.68.0 released on August 29, 2024.
“As open-source projects are integrated into mainstream solutions, it’s vital to ensure their security to prevent exposing vendors and users to increased attack risks,” emphasized the company. “Moreover, organizations should limit the public exposure of services unless absolutely necessary to safeguard their systems.”
The revelation coincides with Akamai shedding light on a privilege escalation flaw in the Microsoft Remote Registry Service (CVE-2024-43532, CVSS score: 8.8), which could empower an attacker to attain SYSTEM privileges through an NTLM relay. This flaw was fixed by the tech giant earlier this month following its disclosure on February 1, 2024.
“The flaw exploits a fallback mechanism in the WinReg [RPC] client implementation, utilizing outdated transport protocols insecurely if the SMB transport isn’t available,” detailed Akamai researcher Stiv Kupchik in a statement.
“By leveraging this vulnerability, an attacker could relay the client’s NTLM authentication data to the Active Directory Certificate Services (ADCS), requesting a user certificate for additional authentication within the domain.”
Microsoft has acknowledged the susceptibility of NTLM to relay attacks, with plans to phase out NTLM in Windows 11 in favor of Kerberos to bolster user authentication, as reiterated earlier in May according to reports.
“Even though most RPC servers and clients are now secure, there are occasional remnants of insecure implementation to different extents,” noted Kupchik. “In this particular case, we managed to execute an NTLM relay, an attack type that belongs more to the past.”
About Author
