A significant security vulnerability has been identified in Styra’s Open Policy Agent (OPA), potentially exposing New Technology LAN Manager (NTLM) hashes to remote attackers. This flaw, tracked as CVE-2024-8260, has been assigned a CVSS score between 6.1 and 7.3, indicating a medium to high severity level. The vulnerability primarily affects both the command-line interface and the Go software development kit for Windows, revealing serious implications for organizations relying on these tools for policy management and access control.
At the core of this issue lies improper input validation within the OPA application, which can lead to unauthorized access through the leakage of Net-NTLMv2 hashes from the user currently logged into the Windows device running OPA. The exploitation of this vulnerability requires specific conditions, including an attacker having an initial foothold in the target environment or employing social engineering tactics to deceive a user. Additionally, the attacker must initiate outbound Server Message Block (SMB) traffic over port 445, passing a Universal Naming Convention (UNC) path instead of a Rego rule file as an argument to the OPA CLI or Go library’s functions.
If successfully exploited, the vulnerability enables attackers to capture NTLM credentials during the authentication process when a user or application attempts to access a remote share on Windows. This scenario allows the attacker to relay the authentication or engage in offline password cracking, significantly compromising the security of the affected systems. The ability to leak NTLM hashes is especially concerning as these hashes can be weaponized to bypass authentication measures, posing a substantial risk to sensitive data and network integrity.
Following responsible disclosure on June 19, 2024, Styra promptly addressed the vulnerability with the release of version 0.68.0 on August 29, 2024. This incident emphasizes the critical need for organizations to maintain robust security practices around open-source projects integrated into their environments. As these projects become increasingly prevalent, ensuring their security is essential to protect vendors and customers from an expanding attack surface. The ongoing issues surrounding NTLM relay attacks have not gone unnoticed, as Microsoft has reiterated plans to retire NTLM in favor of Kerberos in Windows 11 to strengthen user authentication. This situation highlights the need for continuous vigilance and proactive measures to safeguard systems against evolving cybersecurity threats.