Organizations utilizing Open Coverage Agent (OPA) for Home windows ought to take into account updating to v0.68.0 or later to guard in opposition to an authentication hash leakage vulnerability recognized in all earlier variations of the open supply coverage enforcement engine.
The vulnerability designated the identifier CVE-2024-8260, stems from improper enter validation, and permits attackers to trick OPA into accessing a malicious Server Message Block (SMB) share. This may end up in credential leakage and the potential publicity of delicate system data.
Enabling Credential Leaks
“Profitable exploitation can result in unauthorised entry by leaking the Internet-NTLMv2 hash — or in lay phrases, the credentials — of the person at the moment logged into the Home windows machine working the OPA utility,” mentioned researchers at Tenable, who found the bug and issued a report this week. “Submit-exploitation, the attacker might relay authentication to different techniques that assist NTLMv2 or carry out offline cracking to extract the password.”
Many organizations use OPA for Home windows to implement and implement authorization and useful resource entry insurance policies throughout their software program stack, together with cloud native functions, microservices, and APIs. The know-how provides organizations a means to make sure constant coverage automation and compliance throughout combined Linux and Home windows environments.
The vulnerability that Tenable found basically permits attackers to drive a susceptible system to authenticate to an attacker’s server and thereby share person credentials within the course of. The issue needed to do with older variations of OPA for Home windows not correctly verifying the sort of information it obtained. Ordinarily, OPA ought to solely use what are generally known as Rego information for guidelines and insurance policies round choice making. What Tenable found was that due to improper validation, an attacker might move an arbitrary SMB share as an alternative of a Rego file to the OPA Command Line Interface or certainly one of its Go library features. An attacker might inject a path to their very own server within the SMB share and drive the system working the susceptible OPA occasion to authenticate to it.
“This may end up in credential leaks or the execution of malicious logic, posing critical dangers to system integrity and safety,” Tenable mentioned. An adversary that obtains a NTLM hash by exploiting CVE-2024-8260 might use the hash in a wide range of methods, together with authenticating to different techniques and companies, transferring laterally, connecting to file shares, and making an attempt to extract the password.
NTLM (New Expertise LAN Supervisor) is a suite of authentication protocols from Microsoft that many organizations use to allow single sign-on to enterprise functions and companies. Attackers have usually exploited NTLM in so-called pass-the-hash assaults and NTLM relay assaults, the place they basically reuse a captured hash to authenticate to totally different functions and companies with out truly understanding the password.
A Reminder of Open Supply Dangers
Tenable described the vulnerability it found as highlighting the dangers organizations assume when consuming open supply software program and code. In analysis that Black Duck described in its “2024 Open Supply Safety and Threat Evaluation Report,” the seller discovered some 96% of code bases it reviewed to comprise open supply elements. On common, 77% of all code in these codebases originated from open supply. Some 84% codebases that underwent a threat evaluation contained a number of safety vulnerabilities and 74% had high-risk vulnerabilities like Log4Shel and XZ Utils in them. A shocking 14% of the code bases that Black Duck assessed had unpatched open supply vulnerabilities in them that have been 10 or extra years outdated.
“As open-source tasks turn into built-in into widespread options, it’s essential to make sure they’re safe and don’t expose distributors and their prospects to an elevated assault floor,” mentioned Ari Eitan, director of Tenable Cloud Safety Analysis, in a press release. “This vulnerability discovery underscores the necessity for collaboration between safety and engineering groups to mitigate such dangers.”
