Open Policy Agent (OPA) is an open-source policy engine designed to unify policy enforcement across cloud-native environments.
It allows organizations to manage policies using a high-level explanatory language called “Rego.”
Cybersecurity researchers at Tenable recently identified that SMB force-authentication vulnerability impacts all Windows OPA versions.
During security research of “policy-as-code” tools researchers discovered a significant vulnerability (‘CVE-2024-8260,’ with ‘CVSSv3 score 6.1’) “OPA” for Windows, a widely-used open-source policy engine developed by “Styra.”
The vulnerability affects both the “standard” and “Enterprise” editions, where an attacker could exploit the “OPA CLI” and its “Go programming” language package by manipulating file-related arguments.
National Cybersecurity Awareness Month Cyber Challenges – Test your Skills Now
Specifically, instead of providing “legitimate Rego rules” or “policy bundles,” threat actors could input a malicious “UNC” path pointing to a remote “SMB share,” which forces the Windows system to attempt authentication.
This authentication attempt exposes the victim’s “NT LAN Manager” (‘NTLM’) credentials to the attacker’s controlled server which enables “credential relay attacks” or “offline password cracking” through captured NTLM hashes.
The vulnerability was demonstrated using various “OPA commands” where researchers successfully captured authentication attempts using the “Responder tool” on an attacker-controlled server:-
- opa eval –bundle
- opa run -s
- opa eval -d
This security flaw affected all “Windows versions” of OPA until it was patched in version “0.68.0,” highlighting the importance of updating to the latest release to prevent credential theft attacks.
The vulnerability centered around “insufficient path sanitization” in the “github[.]com/open-policy-agent/opa/loader” package, where critical functions like “LoadBundle()” and “AsBundle()” failed to properly validate “UNC” paths during bundle loading operations.
When malicious UNC paths (network share paths starting with “”) were provided as input, these functions would attempt to establish “SMB network connections” to remote shares without adequate security checks.
Here below we have mentioned all the affected symbols:-
- All
- AllRegos
- AsBundle
- Filtered
- FilteredPaths
- FilteredPathsFS
- GetBundleDirectoryLoader
- GetBundleDirectoryLoaderFS
- GetBundleDirectoryLoaderWithFilter
This behavior could potentially be exploited by attackers to trigger unauthorized SMB authentication attempts which leads to possible credential theft via “NTLM” hash capture or other “authentication-based attacks.”
The root cause was traced to the “loader.go” package, which performed only minimal validation before passing user-supplied paths directly to the filesystem operations of Go.
The security patch implemented in version “0.68.0” addressed this by adding comprehensive UNC path validation checks across all affected functions.
This prevents any attempts to access remote shares through UNC paths.
This vulnerability particularly impacted organizations and vendors who had integrated “OPA” into their security infrastructure via the “Go SDK,” which highlighted the importance of thorough security analysis in open-source components used in “enterprise environments.”
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here