Tenable, the exposure management company, has disclosed that its Tenable Cloud Security Research team has discovered a medium-severity Server Message Block (SMB) force-authentication vulnerability that exists in all versions of Open Policy Agent (OPA) for Windows prior to v0.68.0. OPA is one of the most widely used policy engines built on open-source software.
The vulnerability, tracked as CVE-2024-8260, exists because of improper input validation, allowing users to pass an arbitrary SMB share instead of a Rego file as an argument to OPA CLI or one of the OPA Go library’s functions. Successful exploitation can lead to unauthorised access by leaking the Net-NTLMv2 hash – or in lay terms, the credentials – of the user currently logged into the Windows device running the OPA application. Post-exploitation, the attacker could relay authentication to other systems that support NTLMv2 or perform offline cracking to extract the password.
Why It Matters
Open-source software offers organizations of all sizes the ability to accelerate innovation and software development at little to no cost. However, relying on open-source software to build enterprise-scale applications does carry risk. Two prime examples of this issue are the Log4Shell vulnerability disclosed in December 2021 and the XZ Utils backdoor disclosed earlier this year.
Key Takeaway
“As open-source projects become integrated into widespread solutions, it is crucial to ensure they are secure and do not expose vendors and their customers to an increased attack surface,” said Ari Eitan, director of Tenable Cloud Security Research, “This vulnerability discovery underscores the need for collaboration between security and engineering teams to mitigate such risks.”
With an inventory of installed software and a robust patch management process, organizations can ensure that vulnerable software on critical systems is updated as soon as a patch becomes available. Proactively managing exposure using a unified asset inventory allows teams to gain a holistic view of their environment and risks, enabling them to prioritise remediation efforts effectively. Additionally, organisations must minimise the public exposure of services unless absolutely necessary to protect their systems.
Styra fixed the issue in the latest release of OPA (v0.68.0). All older instances of OPA v0.68.0 running on Windows are vulnerable and should be patched to prevent exploitation. Organisations that deploy the OPA CLI or the OPA Go package on Windows should update to the latest version.