Vulnerability: Enrollee Supplies Subject (ESC1)
MITRE ATTACK Sub-technique:
Impact
Malware or attacker with low privileged access in the domain can escalate to the highest privileges and obtain Domain Administrator privilege in less than 10 minutes. i.e., Any single compromise in the environment through existing unpatched vulnerabilities or unprivileged users / vendors with malicious intent can compromise the complete domain.
Vulnerability Description
A certificate template that is enabled with the following configurations introduces this vulnerability in the active directory environment. Condition 1: The certificate template is configured with "Supply in the request" option for the Subject Name. Condition 2 (This is the default Behaviour for User Template): Unprivileged users such as Domain Users are provided with Enroll Permissions. Condition 3 (This is the default Behaviour for User Template): The certificate is allowed for authentication through the existence of "Client Authentication" in Application Policies within the Extensions. Condition 4 (This is the default Behaviour for User Template): Additional Issuance Requirements for review and approval of certificates before issuance is not configured.
Vulnerability Remediation
Use "Build from this Active Directory Information" instead of using "Supply in the request" in the Subject Name configuration of the Template.
Vulnerability Identification
This vulnerability is termed as "ESC1". Tools such as certify or certipy can be used for the identification of this ESC1 vulnerability.
Exploitation Reference
