How to Protect Your Active Directory Domain Services From CVE-2022-34691

A team of security researchers Oliver Lyak (@ly4k_), Zoltan Harmath from Microsoft, disclosed an Improper Authorization Vulnerability in ADCS that allows the attacker to authenticate as a domain administrator by obtaining a certificate using a crafted Certificate Signing Request. The flaw tracked as CVE-2022-34691 has got a CVSS score of 8.4 out of 10 with a High severity rating. Since attackers can abuse the flaw and can elevate privileges and execute arbitrary code on the domain-connected endpoints, it is very important to protect your Active Directory Domain Services from CVE-2022-34691.

A Quick Note on Active Directory Domain Services

Before securing your system from this high-severity vulnerability (CVE-2022-34691), here is a short note on AD DS. Basically, “a directory is a hierarchical structure for storing information about objects on the network. Active Directory Domain Services not only provide the methods of storing data but also the availability of that data to network users and administrators”.

What Is Microsoft Adcs (Active Directory Certificate Service)?

Microsoft Active Directory Certificate service is a CA (Certificate Authority) used to issue certificates to meet the internal certificate needs for secure communication.

Users can request a certificate for the Web browser, e-mail client, Remote Desktop Connections, and any applications or services from ADCS. You can request a certificate for pretty much anything. ADCS supports all standard and custom templates to issue certificates.

What Is a Certificate Signing Request?

It is the first entity to obtain digital certificates. A certificate signing request (CSR) is sent to the certificate authority from applicants. And it is important because it contains a public key of the entity to which a certificate is assigned, information is verified like domain name and integrity protection such as a digital signature.

Summary of CVE-2022-34691

Primarily, this is an improper Authorization Vulnerability in AD CS. This vulnerability allows network attackers to elevate privileges on affected ADCS, and this occurs when Kerberos distribution center servicing authentication service on certificate-based authentication system. ADCS runs on the Domain and could be affected by this Improper Authorization Vulnerability.

The main and exact flaw is lice in the issuance of the certificate. The attacker can exploit this vulnerability just by submitting a certificate signing request to the ADCS with additional crafted data. Once the attacker exploits the flaw, he can obtain a valid certificate that enables him to authenticate as a domain administrator. I hope you know what a domain administrator can do with domain endpoints in AD. That’s what the attacker can do here too. Once the attacker authenticates as a domain administrator, he can easily escalate privileges and execute arbitrary code on the Domain joined endpoints.

How to Protect Your Active Directory Domain Services From CVE-2022-34691?

First of all, the system is vulnerable only in one condition if ADCS runs on the Domain. So, the offline root CA and intermediate CA could not be affected by the CVE-2022-34691 vulnerability.

Microsoft released the patches and asked admins to apply KB5016681 patches that would probably fix the issue. You should update all servers that run, specifically Windows domain controllers and AD CS (Active Directory Certificate Services). Other things you may need to check out are:

After installation of the update, an audit event log is created. If it is not created on domain controllers after one month, enable full enforcement mode on all controllers.

Failure of sign-in may occur after installing CVE-2022-34691 protection that protects Your Active Directory Domain Services.

Perform the following steps.

We hope this post would help you know how to protect your Active Directory Domain Services from CVE-2022-34691, an improper Authorization Vulnerability in ADCS. Please share this post if you find this interested. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr,  Medium & Instagram, and subscribe to receive updates like this.