Schedule a Demo
Blog March 30, 2023 PKI

Hungry, Hungry Hippos: Addressing Vulnerabilities in MS Active Directory Certificate Services

by Mark B. Cooper

The use of MS Active Directory Certificate Services (ADCS) is crucial for the secure operation of modern enterprises. However, it is vital to keep up with potential vulnerabilities that may arise within ADCS environments. This whitepaper highlights two critical vulnerabilities that affect ADCS environments and provides actionable steps to address them.

Person sitting at a laptop while viewing the PKI Spotlight Dashboard.

Expand Your PKI Visibility

Discover why seeing is securing with revolutionary PKI monitoring and alerting.

Learn More About PKI Spotlight®

Vulnerability 1: Man-in-the-Middle (MiTM) – Relay Attacks

PetitPotam (CVE-2021-36942) is a recent NTLM relay attack that can compromise Windows domains that have AD CS running, including domain controllers. This vulnerability is a significant concern for ADCS environments that use Certificate Authority Web Enrollment or Certificate Enrollment Web Service.

Microsoft has outlined actions in KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) to address the vulnerability. Additionally, PKI Solutions offers PKI Spotlight, which can monitor and alert when Certificate Authority Web Enrollment EPA, Certificate Enrollment Web Service EPA, and SSL are missing on IIS. The solution provides best practice recommendations on settings for Web.config files created by the CES role, disabling NTLM authentication on Domain Controllers, and disabling NTLM on any ADCS Servers using group policy.

Vulnerability 2: Elevation of Privileges Vulnerabilities

Several CVEs (CVE-2022-34691, CVE-2022-26931, and CVE-2022-26923) have recently been identified as elevation of privilege vulnerabilities that can occur when the Kerberos Distribution Center (KDC) services a certificate-based authentication request. The CVE-2022-2692 vulnerability, in particular, allows low-privileged users to escalate privileges to domain administrators in a default Active Directory environment with the AD CS server role installed.

Microsoft will enforce strong mappings between an authentication certificate and the account object with a new Object Identifier Extension (OID) 1.3.6.1.4.1.311.25.2 to mitigate the vulnerability. PKI Solutions is working with its customers to upgrade their PKI environments to address this vulnerability, ensuring the mitigation process does not cause authentication failures in non-ADCS CAs, Managed PKIs, Public CAs, NDES and Intune CAs, Standalone CAs, and offline cert requests.

It is essential for organizations to take proactive steps to secure their ADCS environments. PKI Solutions provides customized solutions and expert guidance to address the vulnerabilities affecting ADCS environments. Organizations can learn more about our products and services by visiting PKISolutions.com.

Sources:

  • KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)
  • Microsoft Security Update Guide (CVE-2022-34691, CVE-2022-26931, and CVE-2022-26923)
  • Oliver Lyak Blog (CVE-2022-2692)

Related Resources

  • Blog A representation of PKI and digital certificate with a key lying on a blue circuit board
    November 7, 2024

    PKI Insights Recap – Is Your PKI Healthy? The Essential Guide to Comprehensive Assessments

    PKI, PKI Insights
  • Blog Image of a person sitting at a desk working on a laptop with PKI Spotlight on the screen.
    October 4, 2024

    Announcing the October 2024 PKI Spotlight® Release

    PKI, PKI Spotlight
  • Blog
    August 16, 2024

    To Revoke or Not to Revoke: Balancing Security with Performance and Operational Complexity

    CA, Certificate Authority, Certificate Revocation List, CRL, OCSP, PKI, VPN

Mark B. Cooper

President & Founder at PKI Solutions, Leading PKI Cybersecurity Subject Matter Expert, Author, Speaker, Trainer, Microsoft Certified Master.

View All Posts by Mark B. Cooper

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *