Security researchers from TrustedSec have uncovered a critical zero-day vulnerability affecting Active Directory Certificate Services (AD CS) and were patched in Microsoft’s November Patch Tuesday, but its implications warrant closer scrutiny
The vulnerability tracked as CVE-2024-49019 with a CVSS score of 7.8 stems from the ability to manipulate default version 1 certificate templates to inject malicious application policies allowing attackers with enrollment rights to escalate privileges dramatically.
An attacker can craft a CSR to include application policies that are preferred over the configured Extended Key Usage attributes specified in the template. This bypass allows the attacker to request client authentication, certificate request agent, or code-signing certificates, leveraging the WebServer template inappropriately.
Researchers identified the flaw during a penetration test, which uncovered the anomalous behavior in the certificate management interface that enabled manipulation of key usage fields. The researchers successfully replaced the server authentication purpose with a client authentication policy, a deviation that facilitated unauthorized LDAP authentication as the administrator.
Researchers tested the CVE-2024-49019 vulnerability across multiple clients, finding that 10 out of 15 environments were at risk. Exploiting this flaw could grant domain admin privileges and enable dangerous actions like code signing with unauthorized certificates. They also developed Beacon Object Files (BOFs) to weaponize the attack across extensible command-and-control frameworks.
To mitigate the vulnerability:
- Restrict Enrollment Permissions: Avoid granting overly broad enrollment rights. Only necessary accounts should have such permissions.
- Remove Unused Templates: Unnecessary templates should be deleted to limit the attack surface.
- Enhance Template Security: Implement certificate manager approvals, additional request signatures, and monitoring for template misuse.
For more information, refer to the detailed blog
