H3-2022-0019

Active Directory Certificate Services Misconfigured Template Requires Enrollment Agent Signature

Category	SECURITY_MISCONFIGURATION
Base Score	7.5

Description

Active Directory Certificate Services (ADCS) is Microsoft's enterprise PKI implementation that integrates with Active Directory. Principals can request PKI Certificates based on collections of enrollment policies and predefined certificate settings known as Certificate Templates. A misconfigured ADCS Certificate Template has an EKU allowing Domain Authentication, specifies an Application Policy Issuance Requirement requiring a certificate request be signed by an Enrollment Agent, but is otherwise unprotected. In order to be abused by an attacker, a vulnerable Enrollment Agent template must also be present in the environment. See 'Certified Pre-Owned: Misconfigured Enrollment Agent Templates -ESC3' for additional details.

Impact

If attackers have access to an Enrollment Agent Certificate, they can utilize it to sign a certificate request for this vulnerable template 'on behalf of' a Domain Administrator - leading to Domain Privilege Escalation.

References

• Certified Pre-Owned: Abusing Active Directory Certificate Services
• SpectreOps - Certified Pre-Owned