Short Bytes: A team of security researchers has found a bug in the Kerberos network authentication protocol. Called Orpheus’ Lyre, this flaw could be used by a man-in-the-middle attacker to steal credentials, and gain escalated privileges. The fixes for the affected platforms have been released in the form of patches.Kerberos is a computer network authentication protocol that ensures a secure communication by allowing the nodes to prove their identity to each other securely. This is done on the basis of Tickets. Kerberos is based on symmetric key cryptography and needs a trusted third-party.
A team of researchers has found a bug in the Kerberos authentication protocol. They have named this vulnerability as Orpheus’ Lyre. For those who don’t know, Orpheus was a Greek mythological musician who controlled a three-headed hound, Cerberos, with his lyre’s music. Kerberos is itself named after Cerberos.
Kerberos vulnerability explained in brief
Coming back to the flaw, it affects operating systems from the likes of Apple, Microsoft, FreeBSD, Red Hat, and Debian. This 21-year-old bug has now been fixed in the patches released by the creators of different operating systems.
This bug affects three implementations of Kerberos. Through the open source Heimdal implementation of Kerberos V5, Samba and FreeBSD are affected. It should be noted that the MIT implementation of Kerberos remains unaffected.
In Kerberos protocol, there’s an abundance unauthenticated plaintext, something which has been called cryptographic sin by the researchers. As a result, portions of messages are neither encrypted nor integrity-protected. To make sure that the protocol remains secure despite the wealth of unauthenticated plaintext, extreme care has been taken to authenticate the said plaintext.
But, one instance, the Ticket issued in KDC responses, could allow one to use a specific unauthenticated plaintext instead of authenticated copy of same text. This flaw is mitigated by the proper use of the metadata in the KCD response’s encrypted portion. However, due to the bug, that metadata could be taken from the unauthenticated plaintext.
This bug, Orpheus’ Lyre, allows a man-in-the-middle attacker to remotely steal details and gain escalated privileges. The details regarding relevant CVEs and patches can be found in the security blog post.