Kerberos bypass, login theft bug slain by Microsoft, Linux slingers

Only took two decades to spot dodgy authentication mechanisms

A vulnerability hidden in Kerberos code for more than 20 years met its end in patches issued this week by Microsoft and several Linux vendors.

Having found the flaw three months ago in Heimdal, an open-source implementation of Kerberos, Jeffrey Altman, founder of AuriStor, and Viktor Dukhovni and Nicolas Williams from Two Sigma Investments, dubbed the bug Orpheus' Lyre.

Just as the mythological Orpheus used his lyre to sneak past Cerberus, this errant bit of code can bypass Kerberos.

The vulnerability has to do with the way Kerberos handles authentication messages that combine both cryptographically protected data and unauthenticated plaintext. Affected implementations of Kerberos fetched metadata from unprotected key distribution center (KDC) tickets rather than encrypted KDC responses, something Altman characterized as a logic error.

The flaw could be used for credential theft and remote privilege escalation, though to exploit it, an attacker would have to have network access.

"The attacker needs to be on the network and to have control over a service principle that the client could communicate with," said Altman in a phone interview with The Register. "As far as we know there are no exploits in the wild. But it certainly is exploitable and we consider it to be very serious."

Altman said every Kerberos implementation needs to be checked for this issue. While efforts have been made to notify companies like Microsoft that rely on Kerberos, not every vendor can be expected to have fixed the vulnerability.

"Given how broadly Kerberos has been deployed over the last almost 30 years, it clearly is in a wide ecosystem with a lot of different vendors," he said, adding that some affected code may never be fixed because the vendors no longer exist.

The Orpheus' Lyre bug arose independently in multiple different Kerberos 5 implementations, including one by KTH Royal Institute of Technology in Sweden (Heimdal) and one by Microsoft.

"The frightening part about this bug is it wasn't a bug in one or two implementations, it had been implemented over and over again," said Altman.


That suggests the specification provided insufficient guidance. Altman, however, said the necessary information to build the code securely was there, it just didn't scream at you. "A developer working in the security space should have enough of a clue to understand that fields sent in the clear can be tampered with," he said.

Altman said that in hindsight, the bug could have been prevented by removing the unencrypted fields, which would force the use of the encrypted ones when constructing an authentication request.

At the same time, he doubts modern tooling and techniques would have caught the bug, "because there is no annotation language to describe what is trusted and what is not."

Altman believes that the longevity of this particular vulnerability challenges the notion that open source code is magically more secure than closed source code. "The fact that this has been around for as long as it has been in open source, I think, is just one more case that should debunk the theory that open source programming is in some way more secure than closed source programming."

Both open source and closed source implementations failed in this case. "Microsoft had more money and more automated tools, and they could not find it," he said. "The open source community could have an infinite number of eyeballs looking at the code, but the reality is no one ever does."

Altman recounted interviewing many years ago at both IBM and Microsoft. At IBM, he said, they proudly showed off the company library and advised him to start there before working on any code to avoid reinventing the wheel. At Microsoft, he said, "They were very proud of the fact that they wanted everyone to reinvent the wheel. They felt that would result in faster, better evolution."

Noting that both he and Williams have decades of experience with Kerberos, Altman credited Dukhovni's relative inexperience with Kerberos as the thing that helped reveal the flaw. He suggested junior developers, because of their greater inquisitiveness, would be more likely to find bugs like this, while also noting that awareness of their lack of seniority might make them reluctant to speak up.

Altman expects these sorts of bugs to continue to plague the open-source community because developers are often not compensated for their contributions.

"We will never be reimbursed for the cost to our lives and the lost time to our companies for having done this favor to the world," he said. "As a society, we need to understand what the costs of this work are." ®

Similar topics

Other stories you might like

  • While the iPhone's repairability is in the toilet, at least the Apple Watch 7 is as fixable as the previous model

    Component swaps still a thing – for now

    Apple's seventh-gen Watch has managed to maintain its iFixit repairability rating on a par with the last model – unlike its smartphone sibling.

    The iFixit team found the slightly larger display of the latest Apple Watch a boon for removal via heat and a suction handle. Where the previous generation required a pair of flex folds in its display, the new version turned out to be simpler, with just the one flex.

    Things are also slightly different within the watch itself. Apple's diagnostic port has gone and the battery is larger. That equates to a slight increase in power (1.094Wh from 1.024Wh between 40mm S6 and 41mm S7) which, when paired with the slightly hungrier display, means battery life is pretty much unchanged.

    Continue reading
  • Better late than never: Microsoft rolls out a public preview of E2EE in Teams calls

    Only for one-to-one voice and video, mind

    Microsoft has finally kicked off the rollout of end-to-end-encryption (E2EE) in its Teams collaboration platform with a public preview of E2EE for one-to-one calls.

    It has been a while coming. The company made the promise of E2EE for some one-to-one Teams calls at its virtual Ignite shindig in March this year ( and as 2021 nears its end appears to have delivered, in preview form at least.

    The company's rival in the conference calling space, Zoom, added E2EE for all a year ago, making Microsoft rather late to the privacy party. COO at Matrix-based communications and collaboration app Element, Amandine Le Pape, told The Register that the preview, although welcome, was "long overdue."

    Continue reading
  • Recycled Cobalt Strike key pairs show many crooks are using same cloned installation

    Researcher spots RSA tell-tale lurking in plain sight on VirusTotal

    Around 1,500 Cobalt Strike beacons uploaded to VirusTotal were reusing the same RSA keys from a cracked version of the software, according to a security researcher who pored through the malware repository.

    The discovery could make blue teams' lives easier by giving them a clue about whether or not Cobalt Strike traffic across their networks is a real threat or an action by an authorised red team carrying out a penetration test.

    Didier Stevens, the researcher with Belgian infosec firm NVISO who discovered that private Cobalt Strike keys are being widely reused by criminals, told The Register: "While fingerprinting Cobalt Strike servers on the internet, we noticed that some public keys appeared often. The fact that there is a reuse of public keys means that there is a reuse of private keys too: a public key and a private key are linked to each other."

    Continue reading

Biting the hand that feeds IT © 1998–2021