2 Decade Old Kerberos Vulnerability Gets Patched in Windows, Linux
Two implementations of the Kerberos authentication protocol received patches this week against a vulnerability dubbed “Orpheus’ Lyre” that allowed a threat actor to bypass authentication procedures.
Researchers tracked down the flaw to Kerberos versions released in 1996. The bug affects two of the three implementations of the Kerberos protocol — Heimdal Kerberos and Microsoft Kerberos. The MIT Kerberos implementation is not affected.
Orpheus’ Lyre exploits a part of the Kerberos protocol named “tickets.” These are messages exchanged between network nodes, and are used to authenticate services and users. Not all parts of a ticket are encrypted when sent through the network. Kerberos implementations usually rely on checking the encrypted parts of a Kerberos message to authenticate users and services.
Researchers found a way to force the Kerberos protocol to use the plaintext and non-encrypted part for authentication procedures.
An attacker that has compromised a company’s network or can execute a Man-in-the-Middle (MitM) attack can intercept and modify these plaintext ticket sections to bypass Kerberos authentication, and gain access to a company’s internal resources.
While this bug requires an attacker to already have compromised a machine on a network, the Orpheus’ Lyre vulnerability is dangerous regardless, because it allows an attacker to escalate his internal access.
Debian, FreeBSD, and Samba — projects using the Heimdal Kerberos implementation — have also released patches for the flaw, tracked as CVE-2017-11103. Red Hat said it uses MIT Kerberos, so RHEL users were protected all these years.
The three researchers who discovered the bug are Jeffrey Altman, founder of AuriStor, Inc., and Viktor Dukhovni and Nicolas Williams of Two Sigma Investments, LP.
Source | Bleeping Computer