Home Security Security Flaw in Styra’s OPA Exposes NTLM Hashes to Remote Attackers

Security Flaw in Styra’s OPA Exposes NTLM Hashes to Remote Attackers

by


Oct 22, 2024Ravie LakshmananVulnerability / Software Security

Details have emerged about a now-patched security flaw in Styra’s Open Policy Agent (OPA) that, if successfully exploited, could have led to leakage of New Technology LAN Manager (NTLM) hashes.

“The vulnerability could have allowed an attacker to leak the NTLM credentials of the OPA server’s local user account to a remote server, potentially allowing the attacker to relay the authentication or crack the password,” cybersecurity firm Tenable said in a report shared with The Hacker News.

The security flaw, described as a Server Message Block (SMB) force-authentication vulnerability and tracked as CVE-2024-8260 (CVSS score: 6.1/7.3), impacts both the CLI and Go software development kit (SDK) for Windows.

Cybersecurity

At its core, the issue stems from an improper input validation that can lead to unauthorized access by leaking the Net-NTLMv2 hash of the user who is currently logged into the Windows device running the OPA application.

However, for this to work, the victim must be in a position to initiate outbound Server Message Block (SMB) traffic over port 445. Some of the other prerequisites that contribute to the medium severity are listed below –

  • An initial foothold in the environment, or social engineering of a user, that paves the way for the execution of the OPA CLI
  • Passing a Universal Naming Convention (UNC) path instead of a Rego rule file as an argument to OPA CLI or the OPA Go library’s functions

The credential captured in this manner could then be weaponized to stage a relay attack in order to bypass authentication, or perform offline cracking to extract the password.

“When a user or application attempts to access a remote share on Windows, it forces the local machine to authenticate to the remote server via NTLM,” Tenable security researcher Shelly Raban said.

“During this process, the NTLM hash of the local user is sent to the remote server. An attacker can leverage this mechanism to capture the credentials, allowing them to relay the authentication or crack the hashes offline.”

Following responsible disclosure on June 19, 2024, the vulnerability was addressed in version 0.68.0 released on August 29, 2024.

“As open-source projects become integrated into widespread solutions, it is crucial to ensure they are secure and do not expose vendors and their customers to an increased attack surface,” the company noted. “Additionally, organizations must minimize the public exposure of services unless absolutely necessary to protect their systems.”

The disclosure comes as Akamai shed light on a privilege escalation flaw in the Microsoft Remote Registry Service (CVE-2024-43532, CVSS score: 8.8) that could permit an attacker to gain SYSTEM privileges by means of an NTLM relay. It was patched by the tech giant earlier this month after it was reported on February 1, 2024.

Cybersecurity

“The vulnerability abuses a fallback mechanism in the WinReg [RPC] client implementation that uses obsolete transport protocols insecurely if the SMB transport is unavailable,” Akamai researcher Stiv Kupchik said.

“By exploiting this vulnerability, an attacker can relay the client’s NTLM authentication details to the Active Directory Certificate Services (ADCS), and request a user certificate to leverage for further authentication in the domain.”

The susceptibility of NTLM to relay attacks hasn’t gone unnoticed by Microsoft, which, earlier this May, reiterated its plans to retire NTLM in Windows 11 in favor of Kerberos as part of its efforts to strengthen user authentication.

“While most RPC servers and clients are secure nowadays, it is possible, from time to time, to uncover relics of insecure implementation to varying degrees,” Kupchik said. “In this case, we managed to achieve NTLM relay, which is a class of attacks that better belongs to the past.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex