top of page

Orpheus' Lyre puts Kerberos to Sleep!

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography and it is available in many commercial products as well.

Researchers have found vulnerability in the Kerberos network protocol used in Windows, Linux, and MacOS operating systems. It was called Orpheus Lyre - in ancient Greek mythology the sounds of the of Orpheus’ lyre lulled the three-headed dog Cerberus, the creature the protocol was named after, to sleep.

The problem was discovered by cyber security researchers Jeffrey Altman, Victor Duchovny and Nico Williams. Interestingly, the vulnerability has been there for 21 years.

Loosely speaking, Kerberos is what’s known as a ticket-based authentication system. If client X wants to access server Y, for example, it doesn’t negotiate directly with server Y, but first contacts the Kerberos server and requests an “access ticket”, thus allowing the authentication process to be centralized and carefully managed.

Kerberos uses third-party encryption keys from Key distribution center (KDC). Session keys generated there are used to authenticate the user to a service. Unfortunately – perhaps because its design dates to the 1980s, before cybercrime became the problem it is today – Kerberos doesn’t encrypt everything that it stores in the access tickets it generates.

This opens the possibility of "man in the middle" attacks, where metadata can be taken from the non-encrypted part of the session, not the KDC's protected response. By taking control of the session hackers can remotely acquire user credentials, enhance their privileges in the system, and break the encryption of the protocol.

Kerberos is used in the Microsoft Active Directory network service in Windows Server operating systems. At the end of last week, the company released the necessary fixes to eliminate the "punch".

The Debian and FreeBSD operating systems as well as the Samba software (to access Windows File and Print Services) are also affected by Orpheus Lyre. Linux distributions are vulnerable to Fedora.

The implementation of Kerberos in macOS also allows for similar attacks.

For in-depth understanding of the issue check out our partners from Naked Security by Sophos with another great read

bottom of page