Active Directory Certificate Services Vulnerability Enables Privilege Escalation
2024-12-01
Need some FUD? Learn about the critical vulnerabilities in Microsoft's Active Directory Certificate Services and the importance of securing certificate infrastructures to protect against domain compromises.
A critical vulnerability in Microsoft's Active Directory Certificate Services (AD CS) allows attackers to escalate privileges and potentially gain domain admin access by manipulating certificate requests. Discovered by TrustedSec in October 2024, this exploit, known as ESC15, affects AD CS environments using version 1 certificate templates with specific configurations. It enables attackers with basic enrollment rights to bypass restrictions and gain unauthorized privileges by crafting Certificate Signing Requests (CSRs) that override intended attributes. This vulnerability highlights ongoing challenges in securing AD CS infrastructures and poses a risk of domain compromise, particularly through the commonly used WebServer template.
Privilege Escalation, Misconfiguration, Over Permissive Roles
Active Directory, Certificate Services, ESC15, EKUwu, Microsoft, Privilege Escalation, AD CS Vulnerability
Microsoft, Active Directory Certificate Services
A critical security vulnerability has been identified in Microsoft's Active Directory Certificate Services (AD CS), posing a significant threat to organizations relying on this infrastructure for certificate management. This vulnerability allows attackers to escalate their privileges and potentially gain domain admin access, highlighting the ongoing challenges in securing AD CS environments. The newly discovered exploit, referred to as ESC15 or "EKUwu," was unveiled by TrustedSec in October 2024. This vulnerability affects AD CS environments that utilize version 1 certificate templates with particular configurations. Attackers with basic enrollment rights can exploit this flaw to manipulate certificate requests, bypassing intended restrictions and obtaining unauthorized privileges. The vulnerability leverages a quirk in how AD CS handles certificate requests. Attackers can craft Certificate Signing Requests (CSRs) that include application policies, overriding the intended Extended Key Usage (EKU) attributes specified in the certificate template. This manipulation allows the generation of certificates with elevated privileges, such as client authentication, certificate request agent, and code signing capabilities. A particularly concerning aspect of this vulnerability is its impact on commonly used templates, like the WebServer template. Although this template typically does not include client authentication permissions, the vulnerability allows attackers to add these capabilities, which could lead to domain compromise. This vulnerability builds on a series of previous AD CS vulnerabilities, known as ESC1 through ESC14, which were documented by SpecterOps researchers in 2021. The discovery of ESC15 underscores the persistent security challenges in managing and securing AD CS infrastructures. Organizations using AD CS should review their certificate template configurations and apply any available patches or updates from Microsoft. It's crucial to monitor and restrict enrollment rights and implement additional security measures to mitigate the risk of exploitation.Critical Vulnerability in Active Directory Certificate Services
Understanding the Exploit: ESC15 "EKUwu"
How the Exploit Works
Impact on Common Templates
Historical Context
Mitigation and Recommendations
https://cybersecuritynews.com/active-directory-certificate-services-vulnerability/amp/