October 22, 2024 at 10:30AM
A recently patched vulnerability in Styra’s Open Policy Agent (CVE-2024-8260) could have allowed attackers to leak NTLM credentials, enabling authentication relay or password cracking. Proper input validation issues and specific prerequisites were identified. This highlights the ongoing risks associated with NTLM, prompting Microsoft to plan its retirement in Windows 11.
### Meeting Takeaways – October 22, 2024
1. **Vulnerability Identified**: A security flaw in Styra’s Open Policy Agent (OPA) was discovered and patched. The vulnerability, tracked as CVE-2024-8260, had the potential to leak NTLM hashes of local user accounts on the OPA server.
2. **Mechanism of Attack**:
– The flaw is classified as a Server Message Block (SMB) force-authentication vulnerability.
– Attackers could potentially capture NTLM credentials and either relay them for unauthorized access or crack the password offline.
– An attacker needs to initiate outbound SMB traffic over port 445 and can exploit certain conditions, such as social engineering.
3. **High-Risk Conditions**: Successful exploitation requires:
– An initial foothold in the environment.
– A UNC path being provided instead of a standard Rego rule file when executing the OPA CLI or SDK functions.
4. **Mitigation**: The vulnerability was responsibly disclosed on June 19, 2024, and a patch was released in version 0.68.0 on August 29, 2024.
5. **Broader Context**: The discussion of this vulnerability overlaps with other security concerns:
– Akamai reported a privilege escalation flaw in Microsoft’s Remote Registry Service (CVE-2024-43532) with more severe implications, emphasizing the vulnerability of NTLM to relay attacks.
– Microsoft is planning to retire NTLM in Windows 11 in favor of Kerberos to strengthen user authentication.
6. **Call to Action**: Organizations must ensure the security of open-source components integrated into their solutions and minimize unnecessary public exposure of their services to reduce the attack surface.
### Next Steps:
– Encourage teams to update systems with the latest OPA version.
– Review security protocols related to NTLM usage and consider strategies for transitioning to Kerberos.
– Stay informed on further developments regarding NTLM vulnerability management.