Details of a fixed security flaw in Styra’s Open Policy Agent have surfaced (OPA), which, if successfully exploited, could lead to a leak of New Technology LAN Manager (NTLM) hashes.
“The vulnerability could allow an attacker to pass the NTLM credentials of a local OPA server user account to a remote server, potentially allowing an attacker to relay authentication or crack a password,” cybersecurity firm Tenable wrote. said in a report shared with The Hacker News.
The security flaw described as Server Message Block (SMB) Forced Authentication Vulnerability and tracked as CVE-2024-8260 (CVSS score: 6.1/7.3), affects both the CLI and the Go Software Development Kit (SDK) for Windows.
Basically, the question stems from invalid input validation which could lead to unauthorized access via leaking the Net-NTLMv2 hash of a user currently logged on to the Windows device running the OPA program.
However, for this to work, the victim must be able to initiate outbound Server Message Block (SMB) traffic over port 445. Some of the other prerequisites that contribute to Medium Severity are listed below –
- Initial support in the environment or user social engineering that paves the way for OPA CLI execution
- Passing a Universal Naming Convention (UNC) path instead of a Rego rules file as an argument to OPA CLI or OPA Go library functions
Credentials obtained in this way can be used to perform a relay attack to bypass authentication or hack offline to obtain a password.
“When a user or program tries to access a remote share in Windows, it forces the local machine to authenticate to the remote server via NTLM,” said Tenable security researcher Shelly Raban.
“During this process, the NTLM hash of the local user is sent to the remote server. An attacker could use this mechanism to capture credentials, allowing them to relay authentication or crack hashes offline.”
After a responsible disclosure on June 19, 2024, the vulnerability was fixed in the version 0.68.0 released on August 29, 2024.
“As open source projects are integrated into widespread solutions, it is critical to ensure that they are secure and do not expose vendors and their customers to an enhanced attack surface,” the company said. “Additionally, organizations should minimize access to public services unless absolutely necessary to protect their systems.”
The disclosure comes as Akamai shed light on a privilege escalation flaw in Microsoft’s Remote Registry Service (CVE-2024-43532CVSS score: 8.8), which could allow an attacker to gain SYSTEM privileges via an NTLM relay. It was patched by the tech giant earlier this month following a February 1, 2024 announcement.
“The vulnerability abuses a fallback mechanism in the WinReg client implementation (RPC) that unreliably uses outdated transport protocols when SMB transport is unavailable,” said Akamai researcher Steve Kupczyk said.
“Using this vulnerability, an attacker could pass NTLM client authentication credentials to Active Directory Certificate Services (ADCS) and request a user certificate for further authentication to a domain.”
NTLM’s susceptibility to relay attacks has not gone unnoticed by Microsoft, which earlier this May repeated plans to abandon NTLM in Windows 11 in favor of Kerberos as part of efforts to strengthen user authentication.
“While most RPC servers and clients are secure these days, remnants of an insecure implementation can occasionally be found to varying degrees,” Kupczyk said. “In this case, we were able to achieve NTLM relaying, which is a class of attack best left in the past.”
