A critical vulnerability in Microsoft’s Active Directory Certificate Services (AD CS) that could allow attackers to escalate privileges and potentially gain domain admin access.
This new exploit, dubbed ESC15 or “EKUwu,” was discovered by TrustedSec in early October 2024 and has since been added to popular offensive security tools.
The vulnerability, officially tracked as CVE-2024-49019, affects AD CS environments using version 1 certificate templates with specific configurations. It allows attackers with basic enrollment rights to manipulate certificate requests, bypassing intended restrictions and gaining unauthorized privileges.
ESC15 builds upon previous AD CS vulnerabilities, known as ESC1 through ESC14, which were first documented by SpecterOps researchers Will Schroeder and Lee Christensen in 2021. This latest discovery demonstrates the ongoing challenges in securing AD CS infrastructures.
The exploit takes advantage of a quirk in how AD CS handles certificate requests. Attackers can craft Certificate Signing Requests (CSRs) that include application policies overriding the intended Extended Key Usage (EKU) attributes specified in the template.
Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.
This allows them to generate certificates with elevated privileges, such as client authentication, certificate request agent, and even code signing capabilities.
Particularly concerning is the ability to exploit the commonly used WebServer template. Despite this template not typically including client authentication permissions, the vulnerability allows attackers to add these capabilities, potentially leading to domain compromise.
Microsoft Addressed the Issue
Microsoft has assessed the likelihood of future exploitation as high, given the potential for attackers to gain domain admin privileges. Organizations using AD CS are urged to take immediate action to protect their environments.
Recommended mitigation steps include:
- Reviewing and tightening enrollment permissions on certificate templates.
- Removing unused certificate templates to reduce the attack surface.
- Implementing additional protections for custom subject requests, such as extra signatures or approval processes.
- Auditing all valid certificates issued with schema version 1 templates for unauthorized EKUs or unusual subject names.
Microsoft released an official fix for ESC15 on November 12, 2024, as part of its November Patch Tuesday updates. However, administrators are advised to take proactive measures to secure their AD CS environments beyond simply applying the patch.
As organizations continue to rely on AD CS for managing digital identities, the discovery of ESC15 serves as a stark reminder of the critical importance of proper configuration and ongoing security assessments in enterprise PKI environments.
Cybersecurity teams must remain vigilant and stay informed about emerging threats to protect their Active Directory infrastructures effectively.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar