Skip to main content

Kerberos bypass Orpheus Lyre flaw

A vulnerability affecting two popular Kerberos protocol implementations have been identified as vulnerable to an attack. It forces tickets exchanged over the network to be sent in plain text, therefore, allowing a threat actor to launch a man in the middle attack capable of leading to credential theft and privilege escalation.
Threat ID:
CC-1527
Category:
Exploit
Threat Severity:
Medium
Threat Vector:
Published:
18 July 2017 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A vulnerability affecting two popular Kerberos protocol implementations have been identified as vulnerable to an attack. It forces tickets exchanged over the network to be sent in plain text, therefore, allowing a threat actor to launch a man in the middle attack capable of leading to credential theft and privilege escalation.

Threat details

Patches have already been rolled out for many of the mainstream affected projects utilising the affected implementations including Microsoft who released patches for affected products as part of their recent patch Tuesday release. Debian, FreeBSD and Samba have all released patches due to their use of Heimdal Kerberos.

Kerberos is an authentication protocol named after the three headed guard dog of Hades in Greek mythology Cerberus. The aim is to provide a secure authentication mechanism over an untrusted network.

Two Kerberos implementations Heimdal Kerberos and Microsoft Kerberos have been found to be vulnerable to a flaw introduced into the code base 21 years ago.

The flaw allows an actor to force the ticket to be sent in plain text, an attacker that has compromised a company's network or can execute a Man-in-the-Middle (MitM) attack can intercept and modify these plaintext ticket sections to bypass Kerberos authentication, and gain access to a company's internal resources.

The team behind the discovery has dubbed the flaw Orpheus' Lyre - another reference to Greek mythology where Orpheus was able to sneak past Cerberus using his lyre.

For further information please see CVE-2017-8495 and Microsoft security advisory KB4022746

Remediation steps

Type Step
Mitigation • Ensure all Kerberos implementations are fully updated. The vulnerability is a client side attack and therefore all clients require updating. • Ensure all Kerberos-utilising products are still maintained and are receiving security updates to ensure the product and nodes remain secure.

CVE Vulnerabilities

Status

CVE-2017-8495

Last edited: 17 February 2020 11:33 am