The Complete Magazine on Open Source

A 21-year-old Kerberos protocol bug affects Linux, Windows and macOS

Kerberos bug Orpheus' Lyre

A new bug has surfaced online that can cause man-in-the-middle attacks to steal credentials on Linux, Windows and macOS systems. Called Orpheus’ Lyre, the bug is claimed to be a part of computer network authentication protocol Kerberos for the last 21 years.

Kerberos ensures a secure communication and allows the nodes to cross-verify their identity. The authentication in the Kerberos process is done using tickets. But to facilitate ticket authentication, the protocol uses symmetric key cryptography that requires a trusted third party.

A team of security researchers has identified Orpheus’ Lyre in the unauthenticated plaintext of Kerberos that helps validate tickets. The researchers call this plaintext as a cryptographic sin.

One of the instances in Kerberos responses lets an individual use a specific unauthenticated plaintext instead of authenticated copy of the same text. The metadata in the same portion can be taken from that unauthenticated plaintext. This vulnerable structure ultimately allows attackers to steal details and access privileges.

“The original cryptographic sin of Kerberos is an abundance of unauthenticated plaintext in the protocol. That is, portions of Kerberos messages are neither encrypted nor integrity-protected in some direct cryptographic manner,” said the researchers’ team, consists of Jeffrey Altman, Viktor Dukhovni, and Nicolas Williams, writes in a blog post.

Security researchers have named the bug after a Greek mythological musician. The mythical figure controlled a three-headed hound Cerberos using lyre’s music.

Affects three major implementations

The 21-year old bug has affected three implementations of Kerberos, namely Kerberos V5, Samba and FreeBSD. However, the MIT implementation remains unaffected.

Various Linux distribution maintainers have released a bunch of patches to fix the security loophole. But the Kerberos protocol is yet to be updated for all compatible platforms.