Microsoft Active Directory Certificate Services Vulnerability (CVE-2024-49019)


Microsoft has recently disclosed a new security vulnerability, CVE-2024-49019, in Microsoft Patch Tuesday updates, affecting Active Directory Certificate Services (AD CS).

This vulnerability, classified as an Elevation of Privilege (EoP) issue, poses a significant risk to enterprises relying on AD CS for managing digital certificates.

SIEM as a Service

CVE-2024-49019 is an important vulnerability classified under CWE-1390 that allows for the elevation of privilege due to weak authentication mechanisms.

It has a CVSS score of 7.8, indicating high severity, and its exploitability is considered more likely. Although the vulnerability has been publicly disclosed, there have been no known instances of it being exploited to date.

Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)

Vulnerability Details

If exploited, this vulnerability,, CVE-2024-49019, could allow attackers to gain domain administrator privileges, significantly increasing their control over the affected network.

The vulnerability stems from improper permission management in version 1 certificate templates, where the Source of the subject name is set to “Supplied in the request.”

If enrollment permissions are granted too broadly, such as to domain users or domain computers, unauthorized users could request certificates with elevated privileges, leading to potential domain compromise.

Attack Metrics

  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality, Integrity, Availability: High

Currently, there are no proven exploits in the wild, but due to its nature and potential impact, the vulnerability is considered more likely to be exploited.

To determine if your environment is vulnerable, ensure that no certificates are used, use version 1 templates with the subject name supplied in the request, and that enroll permissions are not broadly granted.

Certificates created with version 1 templates and custom subject names are particularly at risk unless properly secured, although templates like Web Server are not vulnerable by default due to their restrictive permissions.

This vulnerability was identified by TrustedSec researchers:

  • Lou Scicchitano
  • Scot Berner
  • Justin Bollinger

Recommendations and Mitigations

To mitigate the risk posed by CVE-2024-49019, Microsoft recommends several actions for securing certificate templates:

  1. Remove Overly Broad Enrollment Permissions: Review and restrict enrollment permissions to only necessary accounts. Explicitly deny permissions to users or groups that should not have access.
  2. Remove Unused Templates: If certain certificate templates are not required, remove them from your Certification Authorities to reduce the attack surface.
  3. Secure Templates with Custom Subject Requests:
  • Implement additional signatures on certificate requests.
  • Require certificate manager approval for templates allowing custom subject names.
  • Monitor certificates issued by these templates regularly.

Attend a Free Webinar on How to Maximize Cybersecurity Program ROI



Source link