A vulnerability hidden in Kerberos code for more than 20 years met its end in patches issued on Tuesday, 11 July 2017 by Microsoft and several Linux vendors.
Kerberos is a cryptographic authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography.
The vulnerability has to do with the way Kerberos handles authentication messages that combine both cryptographically protected data and unauthenticated plaintext. Affected implementations of Kerberos fetched metadata from unprotected key distribution center (KDC) tickets rather than encrypted KDC responses, something Altman characterized as a logic error.
This vulnerability can be exploited in a number of ways, and in some cases it can lead to remote credential theft, and thus remote privilege escalation, largely defeating Kerberos. Attackers do have to be on-path (logically, at least) between the victim client and a KDC.
Kerberos is a lot like a PKI, but instead of public key cryptography, with certification authorities (CAs) and certificates, Kerberos has a trusted third-party, the Key Distribution Centers (KDCs) that issue short-lived tickets. These tickets are encrypted using a symmetric key known to the relying party (usually a service) and the KDC for that party’s administrative “realm”. The encrypted portion of a Kerberos ticket bears the name of the client principal (usually a user) being authenticated to the service principal, metadata such as the ticket’s expiration time, and -crucially!- a “session key” that the KDC will arrange for the user to also know. The client principal (user) uses this session key to create an Authenticator with which to prove knowledge of the session key to the service principal, and that’s how one uses Kerberos to authenticate a client user to some service. If the client presents a Ticket and Authenticator, and the service can decrypt the Ticket, extract the “session key”, and decrypt the Authenticator with the session key, then the client is whoever the Ticket says they are, for they possessed the cryptographic key with which to make that Authenticator.
Orpheus’ Lyre allows an attacker who is on-path (physically or logically) between the client and the services it talks to (including the KDCs) to mount a service impersonation attack on the client. That is, a man-in-the-middle (MITM) on the wire can impersonate some services to the client.
This vulnerability is a client-side vulnerability and all the affected clients must be patched .It cannot be mitigated by patching servers.
Every Kerberos implementation needs to be checked for this issue. While efforts have been made to notify companies like Microsoft that rely on Kerberos, not every vendor can be expected to have fixed the vulnerability.