Windows, Linux distros, macOS pay for Kerberos 21-year-old 'cryptographic sin'

Researchers find an authentication protocol bug that affects Windows, Linux and Apple.
Written by Liam Tung, Contributing Writer

An attacker sitting between server and client can exploit the Orpheus Lyre bug to impersonate some services to the client.

Image: Getty Images/iStockphoto

A bypass bug present in the Kerberos cryptographic authentication protocol for 21 years has now been fixed in patches from Microsoft, Samba, Fedora, FreeBSD, and Debian.

The discoverers of the ancient Kerberos bypass bug have called it Orpheus Lyre after Orpheus, the musician from Greek legend who bypassed Cerberos, the three-headed hound guarding the gates of Hades. Orpheus pacified the dog with the music of his lyre.

Kerberos, which is named after Cerberos, is implemented as a cryptographic authentication protocol in products like Microsoft's Active Directory. Microsoft fixed the bug in this week's patch Tuesday update.

Samba, Debian, and FreeBSD are also affected through the open-source Heimdal implementation of Kerberos V5. Heimdal before version 7.4 is vulnerable. It appears Apple's Kerberos implementation in macOS is also vulnerable to Orpheus Lyre. However, the MIT implementation is not.

Orpheus Lyre was discovered by Jeffrey Altman, Viktor Duchovni and Nico Williams. They explain in a post that Orpheus Lyre can be used by a man-in-the-middle attacker to remotely steal credentials, and from there gain privilege escalation to defeat Kerberos encryption.

Instead of public-key cryptography's use of digital certificates from certificate authorities, the Kerberos protocol relies on a trusted third-party called the key distribution center (KDC).

These KDCs issue "short-lived tickets" that are used to authenticate a client to a specific service. An encrypted portion of the ticket contains the name of the intended user, metadata, and a session key. The KDC also provides the user with a session key that creates an Authenticator, which is used to prove they know the session key.

As they explain, Kerberos' "original cryptographic sin" was the abundance of unauthenticated plaintext in the protocol. While Kerberos can be secure, implementing it so as to authenticate plaintext is difficult.

"In this case, a two-line bug in several independently developed implementations of Kerberos, caused that metadata to be taken from the unauthenticated plaintext, the Ticket, rather than the authenticated and encrypted KDC response," they wrote.

The researchers haven't detailed every method of exploiting the Orpheus Lyre bug but note that an attacker sitting between a client and server can impersonate some services to the client. The bug also can only be closed by patching end-user systems rather than servers.

"If the client presents a Ticket and Authenticator, and the service can decrypt the Ticket, extract the session key, and decrypt the Authenticator with the session key, then the client is whoever the Ticket says they are, for they possessed the cryptographic key with which to make that Authenticator," they explain.

Read more on security

Editorial standards