Analyzing AD CS Vulnerabilities: Key Insights for InfoSec Professionals

The Most Dangerous Vulnerability You’ve Never Heard Of

In cybersecurity, vulnerabilities are discovered so frequently and at such a rapid pace that keeping up with them can be a daunting task. Some vulnerabilities trigger immediate alerts within your security systems, while others are more subtle yet equally perilous. Today, we’re highlighting one of these less obvious threats that may already be lurking in your environment: Active Directory Certificate Services (AD CS) vulnerabilities.

Vonahi Security’s vPenTest has recently introduced an attack vector specifically aimed at identifying and mitigating these hidden AD CS risks. Before diving into how this tool works, let’s first understand why AD CS vulnerabilities are so dangerous and how they operate.

What is Active Directory Certificate Services?
Active Directory Certificate Services (AD CS) is a Windows Server role that issues and manages public key infrastructure (PKI) certificates, which are essential for secure communication and authentication protocols. AD CS supports various features and services, including:

• The Windows Logon Process
• Enterprise VPN and Wireless Networks
• Email Encryption and Digital Signatures
• Smart Card Authentication

As organizations continue to diversify their technological assets, AD CS is becoming increasingly common and essential, especially with the growing shift to cloud environments. Many AWS, Azure, and GCP services rely on certificate-based authentication, making AD CS a crucial component in modern multi-cloud networks.

Hidden Dangers

Like any powerful tool, proper maintenance of AD CS is crucial, as it can be easily misused if not adequately safeguarded. AD CS is a fundamental part of the Windows and Active Directory authentication and authorization framework, making any vulnerabilities within it a significant risk to those environments. Just as we observed with Kerberos several years ago—and continue to see today—compromising key authentication infrastructure can lead to severe exploitation. The risks associated with AD CS are similarly serious, if not greater.

AD CS Attack Fundamentals

AD CS attacks exploit the fact that the domain trusts the Certificate Authority (CA) server as much as it trusts its Kerberos and other identity servers. Think of the CA server as a gatekeeper, controlling the distribution and validation of certificates to ensure only trusted entities gain access.

However, attackers can manipulate this trust to bypass the need for passwords or encryption keys. There are four primary categories of AD CS vulnerabilities:

1. ESC (Privilege Escalation) – This type of vulnerability allows attackers to escalate their privileges within the network or domain. By exploiting these vulnerabilities, attackers can easily elevate their access from a low-level user to a domain administrator.
2. THEFT – These vulnerabilities arise when there is insufficient security around the client endpoint, allowing attackers to steal authentication certificates. This can lead to privilege escalation or persistence within the environment.
3. PERSIST – These vulnerabilities enable attackers to maintain their access within a network by abusing certificates, without needing a password.
4. CVE – Unlike the first three, this category involves exploiting known vulnerabilities within AD CS that have assigned CVEs. While Microsoft tracks and releases patches for these, the responsibility for implementing security measures often falls on the user, resulting in these vulnerabilities being more prevalent.

The most dangerous category of AD CS vulnerabilities is ESC (Privilege Escalation). These vulnerabilities pose the greatest risk to a user’s environment because they require minimal privileges, depending on the specific misconfiguration. One example is the ESC2 vulnerability, which arises from a server’s need to impersonate certain users under specific conditions.

This attack enables a regular user to enroll for a certificate by impersonating another user via the request’s on-behalf-of field. By doing so, a low-privileged user can pretend to be the domain administrator, request certificates, and eventually obtain their NTLM hash, leading to a complete compromise of the domain administrator account and, typically, the entire domain. You can watch a demo to see how an attacker might exploit this using the AD CS hacking tool, Certipy.

What Can You Do?

As mentioned, Microsoft does not provide straightforward patches for fixing or identifying these vulnerabilities, leaving the responsibility on AD CS users to secure their systems—a task that can be quite challenging. So, what steps should you take?

The PowerShell framework PSPKIAudit, developed by the discoverers of this vulnerability class, is designed to simplify the process by identifying any problematic vulnerabilities in your AD CS configuration. However, even if you eliminate these vulnerabilities initially, they may reappear as new tools are added to your environment.

That’s where vPenTest by Vonahi Security becomes essential. vPenTest is an advanced automated penetration testing tool that takes control of your network security assessments, allowing your business to stay focused on what matters most. vPenTest includes built-in detections for AD CS vulnerabilities and can demonstrate their impact by exploiting these flaws, making it easier to communicate the risks to relevant stakeholders.

Explore vPenTest today!

Special thanks to the SpecterOps team for their excellent research on this topic and to ly4k for creating the invaluable tool, Certipy, which helps identify these vulnerabilities.