CVE-2024-8260: 
Datadog Agent vulnerability analysis and mitigation

A SMB force-authentication vulnerability (CVE-2024-8260) was discovered in all versions of Open Policy Agent (OPA) for Windows prior to v0.68.0. The vulnerability was discovered on June 19, 2024, and disclosed to Styra on August 6, 2024. The vulnerability affects both the OPA CLI (Community and Enterprise editions) and the OPA Go SDK running on Windows systems (Tenable Advisory).

The vulnerability exists due to improper input validation, which allows a user to pass an arbitrary SMB share instead of a Rego file as an argument to OPA CLI or to one of the OPA Go library's functions. The vulnerability affects multiple OPA CLI commands including 'opa eval -d', 'opa eval --bundle', and 'opa run -s', as well as OPA Go package functions like 'Rego.Load(, nil)' and 'Rego.LoadBundle()'. The vulnerability has been assigned a CVSSv3 base score of 6.1 (Medium) with a vector of AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L (Tenable Advisory).

A successful exploit of this vulnerability can lead to unauthorized access by leaking the Net-NTLMv2 hash of the user currently logged into the Windows device running the OPA application, provided the victim can initiate outbound Server Message Block (SMB) traffic over port 445. Post-exploitation, the attacker can either relay authentication to other systems that support NTLMv2 or perform offline cracking to extract the password (Tenable Advisory).

The recommended solution is to upgrade to OPA version v0.68.0 or later, which includes a fix for this vulnerability. The fix adds checks in all the affected symbols of the loader.go package that raise an error if a UNC is provided (Tenable Advisory, OPA Release).