H3-2022-0022

Active Directory Certificate Services - EDITF_ATTRIBUTESUBJECTALTNAME2 flag set

Category	SECURITY_MISCONFIGURATION
Base Score	7.5

Description

Active Directory Certificate Services (ADCS) is Microsoft's enterprise PKI implementation that integrates with Active Directory. Principals can request PKI Certificates based on collections of enrollment policies and predefined certificate settings known as Certificate Templates. If the EDITF_ATTRIBUTESUBJECTALTNAME2 flag is set on the CA, any certificate request can have a user defined Subject Alternative Name (SAN). If the flag is set, a misconfigured Certificate Template that has an EKU allowing Authentication, grants low-privileged users enrollment rights, and lacks protective Issuance Requirements (e.g. - Requiring a Manager Approval or Authorized Signature) can be exploited for Domain Privilege Escalation.

Impact

Attackers can utilize a vulnerable Certificate Template to request a certificate for a Domain Administrator - leading to privilege escalation.

References

• Certified Pre-Owned: Abusing Active Directory Certificate Services
• SpectreOps - Certified Pre-Owned
• The tale of Enhanced Key (mis)Usage
• Hidden Dangers: Certificate Subject Alternative Names (SANs)
• Controlling User Added Subject Alternative Names