Active Directory Certificate Services (ADCS) PKI Domain Admin Vulnerability

Microsoft Windows

Microsoft have published a vulnerability: https://msrc.microsoft.com/update-guide/vulnerability/ADV210003 which allows an attacker to use the NTLM authentications to begin an attack chain to make an unauthenticated NTLM connection that is then relayed to allow a connection to the Active Directory Certificate Services (ADCS), this assuming the auto-enrollment is enabled means that an attacker can make a request for a certificate.

Once they successfully have a certificate they can then move on to obtaining a Kerberos TGT (Ticket Granting Ticket) whereby they can attack and compromise the domain, if this certificate can be a domain controller certificate then there are options for obtaining domain admin privileges. The article: https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/ gives a more detailed overview.

So what can you do?

If you’re not running Active Directory Certificate Services then you are fine, if you are running Active Directory Certificate Services you need to check if the automatic web enrolments of certificates is enabled and then if this is set to be used with NTLM authentication.

If it is enabled for NTLM (which is ultimately the vector) you need to take action, refer to the above links for your options.

In our case we checked and as you can see all the authentication is disabled (and that means NTLM is not available as an authentication provider), so we are not at risk of compromise using this vector so it would seem.

Leave a Reply

Your email address will not be published.