Press ReleaseCyber Safety

Tenable Research Discovers SMB Force-Authentication Vulnerability in Widely Used Open-Source Software

Patching Must Be Done to Address It Immediately

Tenable, the exposure management company, has disclosed that its Tenable Cloud Security Research team has discovered a medium-severity Server Message Block (SMB) force-authentication vulnerability that exists in all versions of Open Policy Agent (OPA) for Windows prior to v0.68.0. OPA is one of the most widely used policy engines built on open-source software.

The vulnerability, tracked as CVE-2024-8260, exists because of improper input validation, allowing users to pass an arbitrary SMB share instead of a Rego file as an argument to OPA CLI or one of the OPA Go library’s functions. Successful exploitation can lead to unauthorised access by leaking the Net-NTLMv2 hash—or in lay terms, the credentials—of the user currently logged into the Windows device running the OPA application. Post-exploitation, the attacker could relay authentication to other systems that support NTLMv2 or perform offline cracking to extract the password.

Why the Tenable Discovery Matters

Open-source software offers organisations of all sizes the ability to accelerate innovation and software development at little to no cost. However, relying on open-source software to build enterprise-scale applications does carry risk. Two prime examples of this issue are the Log4Shell vulnerability disclosed in December 2021 and the XZ Utils backdoor disclosed earlier this year.

Key Takeaway of the Tenable Finding

“As open-source projects become integrated into widespread solutions, it is crucial to ensure they are secure and do not expose vendors and their customers to an increased attack surface,” said Ari Eitan, Director at Tenable Cloud Security Research, “This vulnerability discovery underscores the need for collaboration between security and engineering teams to mitigate such risks.”

With an inventory of installed software and a robust patch management process, organisations can ensure that vulnerable software on critical systems is updated as soon as a patch becomes available. Proactively managing exposure using a unified asset inventory allows teams to gain a holistic view of their environment and risks, enabling them to prioritise remediation efforts effectively. Additionally, organisations must minimise the public exposure of services unless absolutely necessary to protect their systems.

Styra fixed the issue in the latest release of OPA (v0.68.0). All older instances of OPA v0.68.0 running on Windows are vulnerable and should be patched to prevent exploitation. Organisations that deploy the OPA CLI or the OPA Go package on Windows should update to the latest version.

More information is available in this technical advisory. Tenable has published a blog post here: https://www.tenable.com/blog/cve-2024-8260-smb-force-authentication-vulnerability-in-opa-could-lead-to-credential-leakage.

CSA Editorial

Launched in Jan 2018, in partnership with Cyber Security Malaysia (an agency under MOSTI). CSA is a news and content platform focusing on key issues in cybersecurity in the region. CSA is targeted to serve the needs of cybersecurity professionals, IT professionals, Risk professionals and C-Levels who have an obligation to understand the impact of cyber threats.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *