• Posted by: Michael Johnson
• October 23, 2024

Critical Security Flaw in OPA Could Leak NTLM Hashes via SMB Exploit

Details have emerged about a recently patched security flaw in Styra’s Open Policy Agent (OPA) that could have led to the leakage of New Technology LAN Manager (NTLM) hashes if successfully exploited.

According to a report shared by Tenable with The Hacker News, "the vulnerability could have allowed an attacker to leak the NTLM credentials of the OPA server's local user account to a remote server, potentially allowing the attacker to relay the authentication or crack the password."

This security flaw, tracked as CVE-2024-8260 with a CVSS score of 6.1/7.3, is classified as a Server Message Block (SMB) force-authentication vulnerability. It impacts both the CLI and Go SDK for Windows. The core issue stems from improper input validation, which could leak the Net-NTLMv2 hash of the user currently logged into the Windows device running the OPA application.

For this vulnerability to be exploited, the following conditions must be met:

• The victim must be able to initiate outbound SMB traffic over port 445.
• An initial foothold must exist in the environment, or a user must be socially engineered to execute the OPA CLI.
• A Universal Naming Convention (UNC) path must be passed as an argument to the OPA CLI or OPA Go library instead of a Rego rule file.

Once captured, the credentials could be used to stage a relay attack, bypass authentication, or perform offline password cracking.

"When a user or application attempts to access a remote share on Windows, it forces the local machine to authenticate to the remote server via NTLM," said Tenable security researcher Shelly Raban. "During this process, the NTLM hash of the local user is sent to the remote server. An attacker can leverage this mechanism to capture the credentials, allowing them to relay the authentication or crack the hashes offline."

The flaw was responsibly disclosed on June 19, 2024, and addressed in version 0.68.0 of OPA, which was released on August 29, 2024.

"As open-source projects become integrated into widespread solutions, it is crucial to ensure they are secure and do not expose vendors and their customers to an increased attack surface," Tenable emphasized. The company also urged organizations to minimize public exposure of services unless absolutely necessary.

This disclosure follows another vulnerability detailed by Akamai, which revealed a privilege escalation flaw in the Microsoft Remote Registry Service (CVE-2024-43532). With a CVSS score of 8.8, this flaw could permit an attacker to gain SYSTEM privileges using an NTLM relay. Microsoft patched the issue earlier this month after its initial report on February 1, 2024.

The flaw exploits an insecure fallback mechanism in the WinReg RPC client, which uses outdated transport protocols if SMB transport is unavailable. "By exploiting this vulnerability, an attacker can relay the client's NTLM authentication details to the Active Directory Certificate Services (ADCS), and request a user certificate to leverage for further domain authentication," said Akamai researcher Stiv Kupchik.

The susceptibility of NTLM to relay attacks has been a longstanding issue. In May 2024, Microsoft reiterated its plan to retire NTLM in Windows 11, replacing it with Kerberos as part of its efforts to improve user authentication security.

"While most RPC servers and clients are secure nowadays, it is possible, from time to time, to uncover relics of insecure implementation to varying degrees," Kupchik added. "In this case, we managed to achieve NTLM relay, which is a class of attacks that better belongs to the past."