Vulnerability in Active Directory Certificate Services Allows Attackers to Escalate Privileges

A critical vulnerability has been discovered in Microsoft’s Active Directory Certificate Services (AD CS). This vulnerability enables attackers to escalate privileges within the system and potentially gain control at the domain administrator level.

The vulnerability was identified by TrustedSec in October 2024 and is known as ESC15 or EKUwu. It is officially tracked as CVE-2024-49019. The issue primarily affects AD CS configurations that use version 1 certificate templates.

How the ESC15 Vulnerability Works

The vulnerability exploits a flaw in how AD CS processes certificate requests. Attackers can modify standard Certificate Signing Request (CSR) files to manipulate the Extended Key Usage (EKU) attributes in certificates. This allows them to generate certificates with elevated privileges, such as:

• Client Authentication;
• Certificate Request Agent;
• Code Signing.

A particularly alarming aspect is the exploitation of the commonly used WebServer template. While this template is not typically intended for client authentication, the vulnerability enables attackers to add such privileges, potentially compromising the entire domain.

Microsoft’s Response

Microsoft has acknowledged that this vulnerability has a high likelihood of being exploited in the future and has urged organizations to take immediate action to secure their environments. To address the issue, Microsoft released an official security patch on November 12, 2024, as part of its Patch Tuesday updates.

Recommended Mitigation Steps

To secure AD CS systems, the following measures are recommended:

1. Review and restrict access permissions to certificate templates.
2. Remove unused certificate templates from the system.
3. Implement additional protections for certificate requests, such as extra signatures or approval processes.
4. Audit all certificates issued using version 1 templates to identify unauthorized EKUs or unusual subject names.

Conclusion

Vulnerabilities in AD CS systems, including ESC15, highlight the importance of proper configuration and regular security assessments of corporate PKI (Public Key Infrastructure) systems. Organizations must remain vigilant in protecting their Active Directory infrastructure and stay informed about emerging threats.

Cybersecurity teams must respond promptly to vulnerabilities like ESC15 and implement comprehensive measures to safeguard AD CS systems.