Active Directory Certificate Services Elevation of Privilege Vulnerability

Security Vulnerability

Released: Nov 12, 2024

Assigning CNA
Microsoft
CVE.org link
CVE-2024-49019
Impact
Elevation of Privilege
Max Severity
Important
Weakness
CVSS Source
Microsoft
Vector String
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Please see Common Vulnerability Scoring System for more information on the definition of these metrics.

Exploitability

The following table provides an exploitability assessment for this vulnerability at the time of original publication.

Publicly disclosed
Yes
Exploited
No
Exploitability assessment
Exploitation More Likely

Mitigations

The following are several recommendations to consider for securing certificate templates:

1. Remove Overly Broad Enroll or Autoenroll Permissions Avoid granting overly broad enrollment permissions for certificates. Instead, carefully consider which accounts need permissions, and explicitly deny enrollment rights for users or groups of users that should not be eligible for enrollment.

2. Remove Unused Templates from Certification Authorities Several templates are included as part of the installation of an enterprise CA. If those templates are not required, they should be removed.

3. Secure Templates that Allow You to Specify the Subject in the Request:

  • Implement additional signatures on requests
  • Implement certificate manager approval
  • Implement monitoring of certificates issued by the template

More details on securing certificate templates can be found here: Securing PKI: Technical Controls for Securing PKI | Microsoft Learn.

FAQ

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited this vulnerability could gain domain administrator privileges.

How do I know if my PKI environment is vulnerable to this type of attack?

Check if you have published any certificates created using a version 1 certificate template where the Source of subject name is set to "Supplied in the request" and the Enroll permissions are granted to a broader set of accounts, such as domain users or domain computers. An example is the built-in Web Server template, but it is not vulnerable by default due to its restricted Enroll permissions.

What types of certificates are vulnerable to this type of attack?

Certificates created using a version 1 certificate template with Source of subject name set to "Supplied in the request" are potentially vulnerable if the template is not secured according to the best practices published in the Securing Certificate Templates section of Securing PKI: Technical Controls for Securing PKI | Microsoft Learn.

Acknowledgements

  • Lou Scicchitano with TrustedSec
  • Scot Berner with TrustedSec
  • Justin Bollinger with TrustedSec
Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgements for more information.

Security Updates

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle.

Release date Descending

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

How satisfied are you with the MSRC Security Update Guide?