Security Flaw in Styra’s OPA Exposes NTLM Hashes to Remote Attackers

Oct 22, 2024Ravie LakshmananVulnerability / Software Security

Details have emerged about a now-patched security flaw in Styra’s Open Policy Agent (OPA) that, if successfully exploited, could have led to leakage of New Technology LAN Manager (NTLM) hashes.

“The vulnerability could have allowed an attacker to leak the NTLM credentials of the OPA server’s local user account to a remote server, potentially allowing the attacker to relay the authentication or crack the password,” cybersecurity firm Tenable said in a report shared with The Hacker News.

The security flaw, described as a Server Message Block (SMB) force-authentication vulnerability and tracked as CVE-2024-8260 (CVSS score: 6.1/7.3), impacts both the CLI and Go software development kit (SDK) for Windows.

Cybersecurity

At its core, the issue stems from an improper input validation that can lead to unauthorized access by leaking the Net-NTLMv2 hash of the user who is currently logged into the Windows device running the OPA application.

However, for this to work, the victim must be in a position to initiate outbound Server Message Block (SMB) traffic over port 445. Some of the other prerequisites that contribute to the medium severity are listed below –

  • An initial foothold in the environment, or social engineering of a user, that paves the way for the execution of the OPA CLI
  • Passing a Universal Naming Convention (UNC) path instead of a Rego rule file as an argument to OPA CLI or the OPA Go library’s functions

The credential captured in this manner could then be weaponized to stage a relay attack in order to bypass authentication, or perform offline cracking to extract the password.

“When a user or application attempts to access a remote share on Windows, it forces the local machine to authenticate to the remote server via NTLM,” Tenable security researcher Shelly Raban said.

“During this process, the NTLM hash of the local user is sent to the remote server. An attacker can leverage this mechanism to capture the credentials, allowing them to relay the authentication or crack the hashes offline.”

Following responsible disclosure on June 19, 2024, the vulnerability was addressed in version 0.68.0 released on August 29, 2024.

“As open-source projects become integrated into widespread solutions, it is crucial to ensure they are secure and do not expose vendors and their customers to an increased attack surface,” the company noted. “Additionally, organizations must minimize the public exposure of services unless absolutely necessary to protect their systems.”

The disclosure comes as Akamai shed light on a privilege escalation flaw in the Microsoft Remote Registry Service (CVE-2024-43532, CVSS score: 8.8) that could permit an attacker to gain SYSTEM privileges by means of an NTLM relay. It was patched by the tech giant earlier this month after it was reported on February 1, 2024.

Cybersecurity

“The vulnerability abuses a fallback mechanism in the WinReg [RPC] client implementation that uses obsolete transport protocols insecurely if the SMB transport is unavailable,” Akamai researcher Stiv Kupchik said.

“By exploiting this vulnerability, an attacker can relay the client’s NTLM authentication details to the Active Directory Certificate Services (ADCS), and request a user certificate to leverage for further authentication in the domain.”

The susceptibility of NTLM to relay attacks hasn’t gone unnoticed by Microsoft, which, earlier this May, reiterated its plans to retire NTLM in Windows 11 in favor of Kerberos as part of its efforts to strengthen user authentication.

“While most RPC servers and clients are secure nowadays, it is possible, from time to time, to uncover relics of insecure implementation to varying degrees,” Kupchik said. “In this case, we managed to achieve NTLM relay, which is a class of attacks that better belongs to the past.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.