Microsoft ADCS Vulnerability - CVE-2024-49019 Escalation of Privilege

Microsoft just announced another Active Directory Certificate Services (ADCS) related vulnerability CVE-2024-49019. This vulnerability has a base score of 7.8 and is related to weak authentication that can lead to an escalation of privilege within Active Directory environments.

This is yet another example of poorly configured and monitored PKI environments leading to vulnerabilities that undermine the security needs of organizations. As more and more organizations depend on PKI and its related certificates for user and computer identities and data encryption, persistent vulnerabilities like this have the potential to overwhelm organizations.

This vulnerability is like others we have seen – overly broad permissions on a template that allows an adversary to create authentication identities as privileged accounts and eventually compromise an organization. These settings are easily made and difficult to spot in real-time to mitigate. The vulnerability is easily fixed; the trouble is finding the affected templates and finding the vulnerability in real time.

This vulnerability is resolved by removing overly broad enrollment permissions for templates (not just V1 templates as noted in this CVE; any template has this issue). You will have some legitimate needs for Supply in the Request for subject names – such as web servers and non-AD joined machines. You can use tighter enroll permissions to only allow trusted individuals to enroll or you can also use Require CA Manager Approval to have a second individual review and approve the request before issuing it.

This is a problem we have been focused on solving for the last few years with PKI Spotlight. The ability to not only see which templates are set insecurely but also to receive real-time information when a template is configured incorrectly. That means you can see this vulnerability in your environment the moment it is introduced – not months or years later in the triage of a compromise.

If you are focusing your efforts on Certificate Lifecycle Management (CLM) products, you should know none of the players in the space help protect your PKI from vulnerabilities like this and many others. CLM is not a cybersecurity tool for resilience and security – they are tools to help you issue and renew end-point certificates. So, the next time you talk with your CLM vendor, ask them how they alert you to vulnerabilities and resilience issues in your PKI. It’s okay. We will be here to take your call when they cannot answer that simple question. Trust me, really. Make the call to them!