OPA for Windows Vulnerability Exposes NTLM Hashes Hallie Frederick | usagoldmines.com

Organizations utilizing Open Coverage Agent (OPA) for Home windows ought to think about updating to v0.68.0 or later to guard towards an authentication hash leakage vulnerability recognized in all earlier variations of the open supply coverage enforcement engine.

The vulnerability designated the identifier CVE-2024-8260, stems from improper enter validation, and permits attackers to trick OPA into accessing a malicious Server Message Block (SMB) share. This may end up in credential leakage and the potential publicity of delicate system info.

Enabling Credential Leaks

“Profitable exploitation can result in unauthorised entry by leaking the Web-NTLMv2 hash — or in lay phrases, the credentials — of the person at the moment logged into the Home windows gadget working the OPA utility,” stated researchers at Tenable, who found the bug and issued a report this week. “Submit-exploitation, the attacker might relay authentication to different programs that assist NTLMv2 or carry out offline cracking to extract the password.”

Many organizations use OPA for Home windows to implement and implement authorization and useful resource entry insurance policies throughout their software program stack, together with cloud native functions, microservices, and APIs. The know-how provides organizations a approach to make sure constant coverage automation and compliance throughout combined Linux and Home windows environments.

The vulnerability that Tenable found primarily permits attackers to force a vulnerable system to authenticate to an attacker’s server and thereby share person credentials within the course of. The issue needed to do with older variations of OPA for Home windows not correctly verifying the sort of information it obtained. Ordinarily, OPA ought to solely use what are known as Rego files for guidelines and insurance policies round determination making. What Tenable found was that due to improper validation, an attacker might go an arbitrary SMB share as a substitute of a Rego file to the OPA Command Line Interface or one in all its Go library features. An attacker might inject a path to their very own server within the SMB share and pressure the system working the weak OPA occasion to authenticate to it.

“This may end up in credential leaks or the execution of malicious logic, posing severe dangers to system integrity and safety,” Tenable stated. An adversary that obtains a NTLM hash by exploiting CVE-2024-8260 might use the hash in quite a lot of methods, together with authenticating to different programs and providers, transferring laterally, connecting to file shares, and making an attempt to extract the password.

NTLM (New Expertise LAN Supervisor) is a suite of authentication protocols from Microsoft that many organizations use to allow single sign-on to enterprise functions and providers. Attackers have typically exploited NTLM in so-called pass-the-hash attacks and NTLM relay attacks, the place they primarily reuse a captured hash to authenticate to totally different functions and providers with out really realizing the password.

A Reminder of Open Supply Dangers

Tenable described the vulnerability it found as highlighting the dangers organizations assume when consuming open supply software program and code. In analysis that Black Duck described in its “2024 Open Source Security and Risk Analysis Report,” the seller discovered some 96% of code bases it reviewed to include open supply elements. On common, 77% of all code in these codebases originated from open supply. Some 84% codebases that underwent a threat evaluation contained a number of safety vulnerabilities and 74% had high-risk vulnerabilities like Log4Shel and XZ Utils in them. A stunning 14% of the code bases that Black Duck assessed had unpatched open supply vulnerabilities in them that had been 10 or extra years previous.

“As open-source tasks turn into built-in into widespread options, it’s essential to make sure they’re safe and don’t expose distributors and their clients to an elevated assault floor,” stated Ari Eitan, director of Tenable Cloud Safety Analysis, in a press release. “This vulnerability discovery underscores the necessity for collaboration between safety and engineering groups to mitigate such dangers.”