A team of security researchers Oliver Lyak (@ly4k_), Zoltan Harmath from Microsoft, disclosed an Improper Authorization Vulnerability in ADCS that allows the attacker to authenticate as a domain administrator by obtaining a certificate using a crafted Certificate Signing Request. The flaw tracked as CVE-2022-34691 has got a CVSS score of 8.4 out of 10 with a High severity rating. Since attackers can abuse the flaw and can elevate privileges and execute arbitrary code on the domain-connected endpoints, it is very important to protect your Active Directory Domain Services from CVE-2022-34691.
A Quick Note on Active Directory Domain Services
Before securing your system from this high-severity vulnerability (CVE-2022-34691), here is a short note on AD DS. Basically, “a directory is a hierarchical structure for storing information about objects on the network. Active Directory Domain Services not only provide the methods of storing data but also the availability of that data to network users and administrators”.
What Is Microsoft Adcs (Active Directory Certificate Service)?
Microsoft Active Directory Certificate service is a CA (Certificate Authority) used to issue certificates to meet the internal certificate needs for secure communication.
Users can request a certificate for the Web browser, e-mail client, Remote Desktop Connections, and any applications or services from ADCS. You can request a certificate for pretty much anything. ADCS supports all standard and custom templates to issue certificates.
What Is a Certificate Signing Request?
It is the first entity to obtain digital certificates. A certificate signing request (CSR) is sent to the certificate authority from applicants. And it is important because it contains a public key of the entity to which a certificate is assigned, information is verified like domain name and integrity protection such as a digital signature.
Summary of CVE-2022-34691
Primarily, this is an improper Authorization Vulnerability in AD CS. This vulnerability allows network attackers to elevate privileges on affected ADCS, and this occurs when Kerberos distribution center servicing authentication service on certificate-based authentication system. ADCS runs on the Domain and could be affected by this Improper Authorization Vulnerability.
The main and exact flaw is lice in the issuance of the certificate. The attacker can exploit this vulnerability just by submitting a certificate signing request to the ADCS with additional crafted data. Once the attacker exploits the flaw, he can obtain a valid certificate that enables him to authenticate as a domain administrator. I hope you know what a domain administrator can do with domain endpoints in AD. That’s what the attacker can do here too. Once the attacker authenticates as a domain administrator, he can easily escalate privileges and execute arbitrary code on the Domain joined endpoints.
|Associated CVE ID||CVE-2022-34691|
|Description||AnImproper Authorization Vulnerability in ADCS|
|Associated ZDI ID||–|
|CVSS Score||8.4 High|
|Attack Vector (AV)||Adjacent Network|
|Attack Complexity (AC)||Low|
|Privilege Required (PR)||High|
|User Interaction (UI)||None|
How to Protect Your Active Directory Domain Services From CVE-2022-34691?
First of all, the system is vulnerable only in one condition if ADCS runs on the Domain. So, the offline root CA and intermediate CA could not be affected by the CVE-2022-34691 vulnerability.
Microsoft released the patches and asked admins to apply KB5016681 patches that would probably fix the issue. You should update all servers that run, specifically Windows domain controllers and AD CS (Active Directory Certificate Services). Other things you may need to check out are:
- Check Certificate-based authentication with newly 10 May 2022 update. This new update (10 May 2022) would also provide audit events that clarify certificates that are not compatible with full enforcement mode.
- Check the compatibility mode after enabling compatibility mood and look towards certificate mapping.
After installation of the update, an audit event log is created. If it is not created on domain controllers after one month, enable full enforcement mode on all controllers.
Failure of sign-in may occur after installing CVE-2022-34691 protection that protects Your Active Directory Domain Services.
Perform the following steps.
- By using Kerberos operational log on the relevant computer, check which domain controller sign-in is not working properly.
- Go to EVENT VIEWER >Application and services log \ Microsoft \ Windows \ Security-Kerberos\Operational.
- Check the System Event Log on the domain controller that the account is trying to authenticate against critical events.
- Check certificate validity. If it is older than the account, again issue a certificate or add a secure altSecurityIdentities mapping to the account.
- Verification of SID, it should match the account.
- If a single certificate is used to authenticate several accounts, each account needs a separate altSecurityIdentities mapping.
- Add a safe mapping to the certificate if it doesn’t already exist, or leave the Domain in compatibility mode till one can be added.
We hope this post would help you know how to protect your Active Directory Domain Services from CVE-2022-34691, an improper Authorization Vulnerability in ADCS. Please share this post if you find this interested. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.