H3-2022-0016

Active Directory Certificate Services Misconfiguration Privilege Escalation - Subject Alternative Name

Category	SECURITY_MISCONFIGURATION
Base Score	7.5

Description

Active Directory Certificate Services (ADCS) is Microsoft's enterprise PKI implementation that integrates with Active Directory. Principals can request PKI Certificates based on collections of enrollment policies and predefined certificate settings known as Certificate Templates. A misconfigured ADCS Certificate Template that can be utilized for Client Authentication is present on the Enterprise CA. The vulnerable template grants low-privileged users enrollment rights, allows requesters to specify a subjectAltName (SAN) in the request, and lacks protective Issuance Requirements (e.g. - Requiring a Manager approval or authorized signature).

Impact

Attackers can utilize the vulnerable Certificate Template to Request a Certificate for a Domain Administrator - leading to Privilege Escalation.

References

• Certified Pre-Owned: Abusing Active Directory Certificate Services
• SpectreOps - Certified Pre-Owned
• Hidden Dangers: Certificate Subject Alternative Names (SANs)