Hungry, Hungry Hippos: Addressing Vulnerabilities in MS Active Directory Certificate Services

The use of MS Active Directory Certificate Services (ADCS) is crucial for the secure operation of modern enterprises. However, it is vital to keep up with potential vulnerabilities that may arise within ADCS environments. This whitepaper highlights two critical vulnerabilities that affect ADCS environments and provides actionable steps to address them.

Vulnerability 1: Man-in-the-Middle (MiTM) – Relay Attacks

PetitPotam (CVE-2021-36942) is a recent NTLM relay attack that can compromise Windows domains that have AD CS running, including domain controllers. This vulnerability is a significant concern for ADCS environments that use Certificate Authority Web Enrollment or Certificate Enrollment Web Service.

Microsoft has outlined actions in KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) to address the vulnerability. Additionally, PKI Solutions offers PKI Spotlight, which can monitor and alert when Certificate Authority Web Enrollment EPA, Certificate Enrollment Web Service EPA, and SSL are missing on IIS. The solution provides best practice recommendations on settings for Web.config files created by the CES role, disabling NTLM authentication on Domain Controllers, and disabling NTLM on any ADCS Servers using group policy.

Vulnerability 2: Elevation of Privileges Vulnerabilities

Several CVEs (CVE-2022-34691, CVE-2022-26931, and CVE-2022-26923) have recently been identified as elevation of privilege vulnerabilities that can occur when the Kerberos Distribution Center (KDC) services a certificate-based authentication request. The CVE-2022-2692 vulnerability, in particular, allows low-privileged users to escalate privileges to domain administrators in a default Active Directory environment with the AD CS server role installed.

Microsoft will enforce strong mappings between an authentication certificate and the account object with a new Object Identifier Extension (OID) 1.3.6.1.4.1.311.25.2 to mitigate the vulnerability. PKI Solutions is working with its customers to upgrade their PKI environments to address this vulnerability, ensuring the mitigation process does not cause authentication failures in non-ADCS CAs, Managed PKIs, Public CAs, NDES and Intune CAs, Standalone CAs, and offline cert requests.

It is essential for organizations to take proactive steps to secure their ADCS environments. PKI Solutions provides customized solutions and expert guidance to address the vulnerabilities affecting ADCS environments. Organizations can learn more about our products and services by visiting PKISolutions.com.

Sources:

• KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)
• Microsoft Security Update Guide (CVE-2022-34691, CVE-2022-26931, and CVE-2022-26923)
• Oliver Lyak Blog (CVE-2022-2692)