Windows, Linux distros, macOS pay for Kerberos 21-year-old ‘cryptographic sin’

Windows, Linux distros, macOS pay for Kerberos 21-year-old ‘cryptographic sin’


A bypass bug present in the Kerberos cryptographic authentication protocol for 21 years has now been fixed in patches from Microsoft, Samba, Fedora, FreeBSD, and Debian.
The discoverers of the ancient Kerberos bypass bug have called it Orpheus Lyre after Orpheus, the musician from Greek legend who bypassed Cerberos, the three-headed hound guarding the gates of Hades. Orpheus pacified the dog with the music of his lyre.
Kerberos, which is named after Cerberos, is implemented as a cryptographic authentication protocol in products like Microsoft’s Active Directory. Microsoft fixed the bug in this week’s patch Tuesday update.
Samba, Debian, and FreeBSD are also affected through the open-source Heimdal implementation of Kerberos V5. Heimdal before version 7.4 is vulnerable. It appears Apple’s Kerberos implementation in macOS is also vulnerable to Orpheus Lyre. However, the MIT implementation is not.
Orpheus Lyre was discovered by Jeffrey Altman, Viktor Duchovni and Nico Williams. They explain in a post that Orpheus Lyre can be used by a man-in-the-middle attacker to remotely steal credentials, and from there gain privilege escalation to defeat Kerberos encryption.
Instead of public-key cryptography’s use of digital certificates from certificate authorities, the Kerberos protocol relies on a trusted third-party called the key distribution center (KDC).
These KDCs issue “short-lived tickets” that are used to authenticate a client to a specific service. An encrypted portion of the ticket contains the name of the intended user, metadata, and a session key. The KDC also provides the user with a session key that creates an Authenticator, which is used to prove they know the session key.
As they explain, Kerberos’ “original cryptographic sin” was the abundance of unauthenticated plaintext in the protocol. While Kerberos can be secure, implementing it so as to authenticate plaintext is difficult.

Submitted by: Arnfried Walbrecht