H3-2022-0023

Active Directory Certificate Services: Vulnerable Certificate Authority Access Control

Category	SECURITY_MISCONFIGURATION
Base Score	7.5

Description

Active Directory Certificate Services (ADCS) is Microsoft's enterprise PKI implementation that integrates with Active Directory. AD Certificate Authorities have a set of permissions that secure various CA actions. The two main rights are 'ManageCA' and 'ManageCertificates'. A principal with ManageCA rights on a CA can use PSPKI remotely flip the EDITF_ATTRIBUTESUBJECTALTNAME2 bit to allow Subject Alternative Name (SAN) specification on any certificate request. A principal with ManageCertificate (aka: Officer) rights can remotely approve pending certificate requests, allowing an attacker to subvert Manager Approval protections.

Impact

If an attacker gains access to an otherwise low privilege account with ManageCA or ManageCertificates rights, they can modify CA and Certificate Template settings to gain Domain Privilege Escalation.

References

• Certified Pre-Owned: Abusing Active Directory Certificate Services
• SpectreOps - Certified Pre-Owned