Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Old Kerberos Bypass Flaw Patched in Windows, Linux

A 20-year-old authentication bypass vulnerability affecting some implementations of the Kerberos protocol has been patched in Windows, Linux and BSD operating systems.

A 20-year-old authentication bypass vulnerability affecting some implementations of the Kerberos protocol has been patched in Windows, Linux and BSD operating systems.

Kerberos, whose name stems from the mythological three-headed hound Cerberus, is an authentication protocol that uses “tickets” to allow nodes to communicate securely over a non-secure network.

The flaw has been dubbed Orpheus’ Lyre because similar to how the bard Orpheus managed to get past Cerberus by putting it to sleep with his lyre, the vulnerability can be used to bypass Kerberos.

Researchers Jeffrey Altman, Viktor Duchovni and Nico Williams first discovered the security hole in the Heimdal implementation of Kerberos, which had been vulnerable since late 1996. Microsoft’s implementation also turned out to be affected, but the MIT Kerberos was never impacted. Orpheus' Lyre vulnerability

The experts have not provided too many technical details in order to give users time to apply the patches. However, they did reveal that the flaw affects the Kerberos v5 specification and it’s related to the use of unauthenticated plaintext.

A man-in-the-middle (MitM) attacker can exploit the vulnerability to steal credentials, escalate privileges, and bypass authentication.

“In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in ‘enc_part’ instead of the unencrypted version stored in ‘ticket’. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks,” said the developers of Heimdal, who track the flaw as CVE-2017-11103.

Heimdal is used by several Linux distributions, which have already started releasing patches. Red Hat is not affected as it uses the MIT implementation of Kerberos.

The vulnerability has also been addressed in Samba, which includes the Heimdal Kerberos since version 4.0.0. FreeBSD has also published an advisory.

Microsoft, which tracks the flaw as CVE-2017-8495, addressed it in Windows with its latest Patch Tuesday updates.

“A security feature bypass vulnerability exists in Microsoft Windows when Kerberos fails to prevent tampering with the SNAME field during ticket exchange. An attacker who successfully exploited this vulnerability could use it to bypass Extended Protection for Authentication.

To exploit this vulnerability, an attacker would have to be able to launch a man-in-the-middle attack against the traffic passing between a client and the server,” Microsoft said in its advisory.

The experts who discovered Orpheus’ Lyre pointed out that this is a client-side bug that cannot be mitigated on the server side.

While the researchers, Samba and Heimdal have classified this as a critical vulnerability, Microsoft and some of the affected Linux distributions assigned it an “important” or “medium” severity rating, likely due to the fact that the attacker requires network access for exploitation.

Related Reading: Microsoft Patches LDAP Relay Vulnerability in NTLM

Related Reading: Microsoft, Samba Patch “Badlock” Vulnerability

Related Reading: Microsoft Fixes Critical Kerberos Flaw Under Attack With Out-of-Band Patch

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Vulnerabilities

A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.