CFOtech New Zealand - Technology news for CFOs & financial decision-makers
New Zealand
Guides
#
cybersecurity
#
data analytics
#
data analytics
#
digital transformation
#
hybrid & remote work
Search
Story image
#
Cybersecurity
#
Software Development
#
SMB

Tenable discloses vulnerability in Open Policy Agent OPA

Today
Author image
By Imee Dequito, Editor

Tenable has revealed a medium-severity SMB force-authentication vulnerability present in all Windows versions of the Open Policy Agent prior to version 0.68.0.

Open Policy Agent, a widely used open-source policy engine, contains a vulnerability, tracked as CVE-2024-8260. This vulnerability arises due to improper input validation, enabling users to pass arbitrary SMB shares instead of a Rego file as an argument to the OPA CLI or the OPA Go library's functions. Such flaws may lead to unauthorised access by exposing the Net-NTLMv2 hash—essentially, the credentials—of the user currently logged into the Windows device using the OPA application. If successfully exploited, an attacker could relay authentication to systems supporting NTLMv2 or conduct offline cracking to retrieve the password.

Open-source software offers significant cost benefits to organisations of varying sizes, allowing them to expedite innovation and development. However, these platforms can pose risks, as exemplified by the Log4Shell vulnerability and the XZ Utils backdoor, identified in December 2021 and earlier this year, respectively.

Ari Eitan, Director of Tenable Cloud Security Research, emphasised the importance of security throughout open-source integration, stating, "As open-source projects become integrated into widespread solutions, it is crucial to ensure they are secure and do not expose vendors and their customers to an increased attack surface." Eitan highlighted the necessity for partnerships between security and engineering teams to address such vulnerabilities effectively.

Maintaining an inventory of installed software alongside a robust patch management process ensures organisations can promptly update critical systems when patches become available.

Managing exposure through a unified asset inventory offers teams a comprehensive view of their environment and accompanying risks, driving prioritisation of remediation efforts. Reducing public exposure of services unless necessary is also vital to safeguard systems.

The issue received a fix in the latest OPA release, version 0.68.0. Older instances of OPA on Windows remain vulnerable and should be patched without delay to prevent exploitation. Organisations employing the OPA CLI or the OPA Go package are advised to update to this latest version.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Snowflake unveils tools to boost cross-cloud collaboration
Snowflake unveils features to simplify data & AI management
Financial sector prepares for EU DORA regulations in 2025
Todd Chronert named new Chief Revenue Officer at Red Canary
Cequence Security launches comprehensive API security services
Top stories
In-person leadership programmes vital in AI-driven tech era
Organisations struggle with GenAI ROI despite strategies
CoinFlip Wallet launches in Australia & New Zealand
Navigating the supply chain for Scope 3 emissions
Mitel launches AI-powered platform for enhanced CX management