SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image

Tenable discloses vulnerability in Open Policy Agent OPA

Tue, 19th Nov 2024

Tenable has revealed a medium-severity SMB force-authentication vulnerability present in all Windows versions of the Open Policy Agent prior to version 0.68.0.

Open Policy Agent, a widely used open-source policy engine, contains a vulnerability, tracked as CVE-2024-8260. This vulnerability arises due to improper input validation, enabling users to pass arbitrary SMB shares instead of a Rego file as an argument to the OPA CLI or the OPA Go library's functions. Such flaws may lead to unauthorised access by exposing the Net-NTLMv2 hash—essentially, the credentials—of the user currently logged into the Windows device using the OPA application. If successfully exploited, an attacker could relay authentication to systems supporting NTLMv2 or conduct offline cracking to retrieve the password.

Open-source software offers significant cost benefits to organisations of varying sizes, allowing them to expedite innovation and development. However, these platforms can pose risks, as exemplified by the Log4Shell vulnerability and the XZ Utils backdoor, identified in December 2021 and earlier this year, respectively.

Ari Eitan, Director of Tenable Cloud Security Research, emphasised the importance of security throughout open-source integration, stating, "As open-source projects become integrated into widespread solutions, it is crucial to ensure they are secure and do not expose vendors and their customers to an increased attack surface." Eitan highlighted the necessity for partnerships between security and engineering teams to address such vulnerabilities effectively.

Maintaining an inventory of installed software alongside a robust patch management process ensures organisations can promptly update critical systems when patches become available.

Managing exposure through a unified asset inventory offers teams a comprehensive view of their environment and accompanying risks, driving prioritisation of remediation efforts. Reducing public exposure of services unless necessary is also vital to safeguard systems.

The issue received a fix in the latest OPA release, version 0.68.0. Older instances of OPA on Windows remain vulnerable and should be patched without delay to prevent exploitation. Organisations employing the OPA CLI or the OPA Go package are advised to update to this latest version.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X