The most dangerous vulnerability you've never heard of.
In the world of cybersecurity, vulnerabilities are discovered so often, and at such a high rate, that it can be very difficult to keep up with. Some vulnerabilities will start ringing alarm bells within your security tooling, while others are far more nuanced, but still pose an equally dangerous threat. Today, we want to discuss one of these more nuanced vulnerabilities as it is likely lurking in your environment waiting to be exploited: Active Directory Certificate Services vulnerabilities.
vPenTest by Vonahi Security recently implemented an attack vector specifically designed to identify and mitigate these hidden AD CS threats. But first, let's explore why AD CS vulnerabilities are so dangerous and how they work.
What is Active Directory Certificate Services?
Active Directory Certificate Services ("AD CS"), as defined by Microsoft is, "a Windows Server role for issuing and managing public key infrastructure (PKI) certificates used in secure communication and authentication protocols." Some common features and services that rely on AD CS are:
- The Windows Logon Process
- Enterprise VPN and Wireless Networks
- Email Encryption and Digital Signatures
- Smart Card Authentication
As companies continue to increase the variety of technologies available within their organizations, AD CS will become more common and more necessary, especially as companies continue to host their services in the cloud. Many AWS, Azure and GCP services require certificate-based authentication to function, so it is expected that AD CS will become an increasingly prominent and required service in modern multi-cloud networks.
Hidden hazards.
As with all powerful tools, there is a responsibility to maintain these tools properly, as they can very often be misused without the proper safeguards. This is indeed the case with AD CS. Since AD CS is a core component of the modern Windows and Active Directory authentication and authorization framework, any vulnerabilities that exist pose a great risk to those environments. As we saw 6-7 years ago with Kerberos, and continue to see today, if key authentication infrastructure is compromised, it can be abused to great lengths. The same is the case with AD CS, if not to a greater extent.
AD CS Attack Basics
AD CS attacks rely on the fact that the domain trusts the Certificate Authority ("CA") server as much as it trusts its Kerberos servers and other identity servers. Think of the CA server as a gatekeeper. Just as a gatekeeper controls access to a secure area, the CA server controls the distribution and validation of certificates, ensuring that only trusted entities can gain access.
However, AD CS attacks leverage this fact in order to circumvent the need for things like passwords or encryption keys. There are four major classes of AD CS vulnerabilities:
- ESC – This class of vulnerabilities results in some level of privilege escalation within the victim network / domain. Attackers can abuse these vulnerabilities to convert their access from a low- privileged user, to the domain administrator, with little to no effort.
- THEFT – These vulnerabilities are present when there are not significant security controls around the client endpoint, which allow for the authentication certificates to be stolen, resulting in either privilege escalation or persistence in the environment.
- PERSIST – As the name states, these vulnerabilities result in a situation in the network environment in which the attacker can abuse their access to a certificate in order to persist their access in an environment, without the need for a password.
- CVE – Separate from the first three classes, these vulnerabilities are based on abusing certain known vulnerabilities within AD CS that have patches.
Critically worth noting is that, while Microsoft does track and have patches released for the AD CS vulnerabilities that have been assigned CVEs, for the majority of these vulnerabilities, Microsoft puts the onus of repair and security on the consumer, which leads to the presence of these vulnerabilities much more often.
The most dangerous of the AD CS vulnerability categories is the ESC category (ESC as in privilege escalation). These pose the greatest threat to the user's environment as they require little to no privileges, depending on the specific misconfiguration. One such misconfiguration is the ESC2 vulnerability, which occurs from a server's need to impersonate certain users under particular circumstances.
This attack allows a standard user to enroll for a certificate by impersonating them via the request's on-behalf-of field. By doing this, a standard low privileged user can pretend they are the domain administrator and request certificates, and later their NTLM hash, resulting in full compromise of the domain administrator account, and typically the whole domain. Check out the demo to see how an attacker might exploit this by using the AD CS hacking tool, Certipy.
What should you do?
As discussed, Microsoft does not have patches that make fixing or identifying these vulnerabilities easy for their users, so the responsibility falls on the users of AD CS to secure their own systems, which can be challenging. So, what to do?
Built by the discoverers of this vulnerability class, https://github.com/GhostPack/PSPKIAudit is a PowerShell framework designed to do a lot of the heavy lifting for you and identify any offending vulnerabilities in the AD CS configuration. However, even if you do rule out these vulnerabilities at one point in time, they may resurface alongside the addition of new tools to the environment. That's where vPenTest by Vonahi Security comes in.
vPenTest is a state-of-the-art automated penetration testing tool that takes charge of your network, performing comprehensive security assessments automatically, allowing your business to continue to focus on what matters the most for you. vPenTest has built-in detections for AD CS vulnerabilities and can demonstrate impact by exploiting the vulnerabilities in the network so you can show the relevant stakeholders why they need to care about these vulnerabilities. Check out vPenTest today!
Credits to the SpecterOps team for their wonderful research into the subject and to ly4k for developing such an amazing tool, Certipy, to help identify these vulnerabilities.