A vulnerability hidden in Kerberos code for more than 20 years met its end in patches issued this week by Microsoft and several Linux vendors.
Having found the flaw three months ago in Heimdal, an open-source implementation of Kerberos, Jeffrey Altman, founder of AuriStor, and Viktor Dukhovni and Nicolas Williams from Two Sigma Investments, dubbed the bug Orpheus' Lyre.
Just as the mythological Orpheus used his lyre to sneak past Cerberus, this errant bit of code can bypass Kerberos.
The vulnerability has to do with the way Kerberos handles authentication messages that combine both cryptographically protected data and unauthenticated plaintext. Affected implementations of Kerberos fetched metadata from unprotected key distribution center (KDC) tickets rather than encrypted KDC responses, something Altman characterized as a logic error.
The flaw could be used for credential theft and remote privilege escalation, though to exploit it, an attacker would have to have network access.
"The attacker needs to be on the network and to have control over a service principle that the client could communicate with," said Altman in a phone interview with The Register. "As far as we know there are no exploits in the wild. But it certainly is exploitable and we consider it to be very serious."
Altman said every Kerberos implementation needs to be checked for this issue. While efforts have been made to notify companies like Microsoft that rely on Kerberos, not every vendor can be expected to have fixed the vulnerability.
"Given how broadly Kerberos has been deployed over the last almost 30 years, it clearly is in a wide ecosystem with a lot of different vendors," he said, adding that some affected code may never be fixed because the vendors no longer exist.
The Orpheus' Lyre bug arose independently in multiple different Kerberos 5 implementations, including one by KTH Royal Institute of Technology in Sweden (Heimdal) and one by Microsoft.
"The frightening part about this bug is it wasn't a bug in one or two implementations, it had been implemented over and over again," said Altman.
That suggests the specification provided insufficient guidance. Altman, however, said the necessary information to build the code securely was there, it just didn't scream at you. "A developer working in the security space should have enough of a clue to understand that fields sent in the clear can be tampered with," he said.
Altman said that in hindsight, the bug could have been prevented by removing the unencrypted fields, which would force the use of the encrypted ones when constructing an authentication request.
At the same time, he doubts modern tooling and techniques would have caught the bug, "because there is no annotation language to describe what is trusted and what is not."
Altman believes that the longevity of this particular vulnerability challenges the notion that open source code is magically more secure than closed source code. "The fact that this has been around for as long as it has been in open source, I think, is just one more case that should debunk the theory that open source programming is in some way more secure than closed source programming."
Both open source and closed source implementations failed in this case. "Microsoft had more money and more automated tools, and they could not find it," he said. "The open source community could have an infinite number of eyeballs looking at the code, but the reality is no one ever does."
Altman recounted interviewing many years ago at both IBM and Microsoft. At IBM, he said, they proudly showed off the company library and advised him to start there before working on any code to avoid reinventing the wheel. At Microsoft, he said, "They were very proud of the fact that they wanted everyone to reinvent the wheel. They felt that would result in faster, better evolution."
Noting that both he and Williams have decades of experience with Kerberos, Altman credited Dukhovni's relative inexperience with Kerberos as the thing that helped reveal the flaw. He suggested junior developers, because of their greater inquisitiveness, would be more likely to find bugs like this, while also noting that awareness of their lack of seniority might make them reluctant to speak up.
Altman expects these sorts of bugs to continue to plague the open-source community because developers are often not compensated for their contributions.
"We will never be reimbursed for the cost to our lives and the lost time to our companies for having done this favor to the world," he said. "As a society, we need to understand what the costs of this work are." ®