Kerberos Authentication Flaw Hidden For 20 Years
The flaw, was initially found in Heimdal, an open-source implementation of Kerberos just three months ago. However, it is prevalent in other implementations including those from Microsoft.
Tracked as CVE-2017-11103, and dubbed Orpheus’ Lyre (by Jeffrey Altman, Viktor Dukhovni and Nicolas Williams), The issue could result in a remote privilege escalation and credential theft, and can trigger it to access the target network.
The issue is related to the way Kerberos handles authentication messages, Dukhovni discovered that flawed implementations of Kerberos fetched metadata from unprotected key distribution centre (KDC) tickets rather than encrypted KDC responses which he classed as a logic error.
Patches were issued last week by Microsoft and several Linux vendors, which of course needs to be taken up now; a sound security patching policy should be in place to ensure business systems are left vulnerable for as little time as possible.
Dukhovni being relevantly new to Kerberos was a factor in the discovery of this vulnerability according to Altman; He went on to suggest that junior developers, because of their greater inquisitiveness, would be more likely to find bugs like this, He also noted that awareness of their lack of seniority might make them reluctant to speak up.
Altman in an interview with The Register said “As far as we know there are no exploits in the wild. But it certainly is exploitable and we consider it to be very serious.”
Altman said every Kerberos implementation needs to be checked for this issue. While efforts have been made to notify companies like Microsoft that rely on Kerberos, not every vendor can be expected to have fixed the vulnerability.
“Given how broadly Kerberos has been deployed over the last almost 30 years, it clearly is in a wide ecosystem with a lot of different vendors,” he said, adding that some affected code may never be fixed because the vendors no longer exist.
The Orpheus’ Lyre bug arose independently in multiple different Kerberos 5 implementations, including one by KTH Royal Institute of Technology in Sweden (Heimdal) and one by Microsoft.
“The frightening part about this bug is it wasn’t a bug in one or two implementations, it had been implemented over and over again,” said Altman.
Altman’s comment about the greater inquisitiveness of junior developers being more likely to find such bugs, in part echoes what I have observed and contributed to in IT Helpdesks and Technical Support Team settings. Sometimes a non-expert on a given technology contributes to solving even the most foxing of problems more swiftly as a result of not knowing the product or system as well as their fellow colleagues tasked with said case. Often by asking the rudimentary questions or exploring ‘glossed over’ troubleshooting avenues.
If you need further information please contact us on 01622 524200 or email@example.com