Recently, a security vulnerability in Styra’s Open Policy Agent (OPA) was discovered and subsequently patched. If exploited, this flaw could have resulted in the leakage of New Technology LAN Manager (NTLM) hashes.
According to a report by cybersecurity firm Tenable, “the vulnerability could have permitted an attacker to expose the NTLM credentials of the local user account on the OPA server to a remote server, creating opportunities for credential relaying or password cracking.”
This specific security issue is categorized as a Server Message Block (SMB) force-authentication vulnerability and is recorded under the identifier CVE-2024-8260, with a CVSS score ranging from 6.1 to 7.3. It affects both the CLI and Go SDK for Windows.
The root of this problem lies in an improper input validation, which could lead to unauthorized access by revealing the Net-NTLMv2 hash of the logged-in user on the Windows machine running the OPA application.
However, the successful execution of this attack requires the targeted user to initiate outbound SMB traffic over port 445. Other necessary conditions that contribute to the medium severity of this issue include:
- Gaining an initial foothold in the environment or employing social engineering tactics to influence a user to execute the OPA CLI.
- Providing a Universal Naming Convention (UNC) path rather than a Rego rule file as an argument to the OPA CLI or the OPA Go library’s functions.
The credentials acquired through this method could be misused to launch relay attacks to bypass authentication or for offline password cracking attempts.
Tenable security researcher Shelly Raban explained, “When a user or application attempts to access a remote share on Windows, it forces the local machine to authenticate to the remote server using NTLM. During this process, the NTLM hash of the local user is transmitted to the remote server. An attacker can exploit this to capture the credentials, enabling them to relay the authentication or crack the hashes offline.”
After a responsible disclosure made on June 19, 2024, the vulnerability was rectified in version 0.68.0, which was released on August 29, 2024.
The company remarked, “As open-source projects find their way into widely used solutions, it’s paramount to ensure their security to shield vendors and their customers from potential vulnerabilities. Additionally, organizations should limit the public exposure of their services to safeguard their systems wherever feasible.”
This revelation follows Akamai’s recent disclosure of a privilege escalation issue in the Microsoft Remote Registry Service, tracked as CVE-2024-43532, which could enable an attacker to gain SYSTEM privileges via an NTLM relay. This flaw was patched by Microsoft earlier this month, following its report on February 1, 2024.
Akamai researcher Stiv Kupchik noted, “The vulnerability exploits a fallback mechanism in the WinReg [RPC] client implementation that uses outdated transport protocols insecurely if the SMB transport is absent.”
He added, “By taking advantage of this vulnerability, an attacker can relay the client’s NTLM authentication details to the Active Directory Certificate Services (ADCS) and request a user certificate for further authentication within the domain.”
The susceptibility of NTLM to relay attacks has not been overlooked by Microsoft. Earlier this May, Microsoft reiterated its plans to phase out NTLM in Windows 11 in favor of Kerberos, aiming to enhance user authentication.
Kupchik remarked, “While many RPC servers and clients are secure today, instances arise where we can still find remnants of insecure implementations to varying extents. In this case, we managed to achieve NTLM relay, which is an outdated class of attacks.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.