Severe SMB Vulnerability Hits All OPA Versions on Windows

The recent OPA update addresses a vulnerability that could have allowed an attacker to extract NTLM credentials from the OPA server’s local user account. This could have led to unauthorized access or password cracking, as the vulnerability affected both the OPA CLI and Go SDK.

Open Policy Agent (OPA) for Windows was found to be vulnerable to a force authentication attack, where an attacker could exploit this vulnerability to steal the NTLM credentials of the local user by passing a malicious UNC share to the OPA CLI or Go package, while this issue has been resolved in OPA v0.68.0.

It is an open-source policy engine that is used for admission control in Kubernetes through Gatekeeper, which has its own policy language, Rego. Policies can be fetched from external sources or passed directly to OPA, which is a potential vulnerability if the policy source is not secure.

The experiment tested whether OPA could accept a UNC path as a Rego rule file, and it found that OPA could process the path, but when the user attempted to access a remote share, the local machine was forced to authenticate via NTLM, exposing the user’s credentials to potential attackers.

error indicating that OPA attempted to access the remote share

The researcher attempted to exploit OPA CLI by passing a UNC path as a Rego rule file. When OPA tried to access the remote share, they monitored the SMB requests to understand OPA’s behavior.

They also exploited an SMB force-authentication vulnerability in OPA CLI by providing a malicious SMB share path, leaking NTLM credentials via Responder, which affects both opa eval and opa run commands, impacting both Community and Enterprise editions. 

NTLM credentials caught on the attacker’s side

The Go SDK for OPA contains vulnerabilities in the rego.LoadBundle and AsBundle functions that allow attackers to execute arbitrary code by passing a UNC path to the functions, which triggers network access attempts to load the bundle from a remote location.

It was vulnerable to exploitation due to insufficient path sanitization, and a fix was implemented to prevent UNC paths that could trigger SMB authentication from being accepted.

OPA’s loader.go – a package containing utilities for loading files into OPA – patched since v0.68.0 

According to Tenable, one of the vulnerabilities in OPA for Windows (pre-v0.68.0) allows for the possibility of command injection into the operating system through policy and bundle files.

The recent discovery of a vulnerability in OPA highlights the importance of secure open-source software integration. By effectively collaborating, security and engineering teams can mitigate such risks and protect against potential attacks.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here