Vulnerability Found in Styra’s OPA Exposing NTLM Hashes to Remote Threat Actors
Information has been revealed regarding a now-fixed weakness in Styra’s Open Policy Agent (OPA) that, if exploited successfully, could have led to disclosure of New Technology LAN Manager (NTLM) hashes.
“The flaw could have enabled a hacker to expose the NTLM credentials of the OPA server’s local user account to a distant server, potentially enabling the attacker to relay the authentication or crack the password,” cybersecurity company Tenable stated in a report conveyed to The Hacker News.
The security vulnerability, characterized as a Server Message Block (SMB) force-authentication flaw and identified as CVE-2024-8260 (CVSS score: 6.1/7.3), affects both the Command Line Interface (CLI) and Go software development kit (SDK) for Windows.
Primarily, the problem originates from an inadequate input validation that might lead to unauthorized entry by leaking the Net-NTLMv2 hash of the user currently logged into the Windows machine running the OPA application.
Nonetheless, for this exploit to function, the target must be capable of initiating outbound Server Message Block (SMB) traffic via port 445. Some of the other conditions that increase the medium level of risk are as follows –
- Initial foothold in the system environment, or social engineering of a user, clearing the path for the execution of the OPA CLI
- Using a Universal Naming Convention (UNC) path as opposed to a Rego rule file while providing an argument to the OPA CLI or the OPA Go library’s functionalities
The credential acquired in this manner could then be utilized for launching a relay attack to circumvent authentication, or conducting offline cracking to extract the password.
“When a user or application tries to access a remote share on Windows, it compels the local system to authenticate to the remote server via NTLM,” informed Tenable security researcher Shelly Raban.
“During this process, the NTLM hash of the local user is transmitted to the remote server. An attacker can exploit this process to capture the credentials, enabling them to relay the authentication or crack the hashes offline.”
Following responsible disclosure on June 19, 2024, the vulnerability was resolved in version 0.68.0 launched on August 29, 2024.
“As open-source projects integrate into widespread solutions, it becomes vital to ensure their security to prevent exposing vendors and their customers to an enlarged attack area,” the company stressed. “Moreover, organizations should limit the external exposure of services unless absolutely essential to safeguard their systems.”
The disclosure coincides with Akamai spotlighting a privilege elevation flaw in the Microsoft Remote Registry Service (CVE-2024-43532, CVSS score: 8.8) which could allow an attacker to acquire SYSTEM privileges through an NTLM relay. Microsoft patched it earlier this month subsequent to it being reported on February 1, 2024.
“The vulnerability exploits a fallback mechanism in the WinReg [RPC] client implementation that uses outdated transport protocols insecurely if the SMB transport is not available,” detailed Akamai researcher Stiv Kupchik explained.
“By leveraging this vulnerability, an attacker can relay the client’s NTLM authentication details to the Active Directory Certificate Services (ADCS), and request a user certificate to utilize for further authentication within the domain.”
The susceptibility of NTLM to relay attacks has not escaped the notice of Microsoft, which, back in May, reaffirmed its intention to phase out NTLM in Windows 11 in favor of Kerberos as part of its bid to enhance user authentication.
“Although most RPC servers and clients are secure today, remnants of insecure implementation at varying degrees can still be discovered occasionally,” Kupchik stated. “In this scenario, we succeeded in executing an NTLM relay, a category of attacks that is better consigned to the past.”
About Author
