Black Hat USA 2021 is taking place from July 31st through August 5th this year. As always, it promises to be filled with interesting and educational content. One presentation that is generating some early attention focuses on an overlooked vulnerability in Microsoft’s Active Directory Certificate Services (AD CS) implementation.
The reason this talk is significant is because the researchers, Will Schroeder and Lee Christensen, plan to release two tools to exploit the weaknesses that they uncovered. Schroeder and Christensen are not merely trying to be thorns in every sysadmin’s side, as they have also developed an auditing tool to reveal if your AD CS is vulnerable.
Let’s take a very superficial look at what they discovered, and what it means to you if you use AD Certificate Services, and one simple way to avoid the problem. The researchers have also released their full technical report for public consumption.
Schroeder and Christensen have found vulnerabilities in the templates offered in Microsoft’s Certificate Services. A hasty action by an unwary Active Directory administrator can open these templates to easy forgery, leading up to full Domain Administrator permissions for any domain user.
This revelation should be shocking, as it means that an attacker no longer needs to find an active administrative account to exploit to gain full domain control. They only need to gain access to any account on the domain, including the Default User account. Think about how easy that is to accomplish.
Why would anyone use the Certificate Services offered in Active Directory? As with all things, if it is deceptively easy to implement, and it is already part of a pre-packaged product, such as Microsoft’s Active Directory. The gravitational pull towards using that built-in feature is overwhelming. The real question is, why would anyone alter a template and place it in a vulnerable state? One reason is because of the power of Active Directory.
The AD system can be used to administer a small network all the way up to global enterprises. In some cases, setting up and configuring such a robust system can be challenging if not handled by an experienced, trained professional. To get a system functioning smoothly, a sysadmin may adjust something as trivial as the expiration date on the Default User template, and that alone is enough to create a vulnerability. As Schroeder and Christensen discovered, something as simple as that action can leave an account vulnerable, even if the affected user changes the account password.
Schroeder and Christensen are not malicious hackers. Anyone who reads the report will see that they are serious, learned, responsible, and encephalo-elevated researchers, seeking to improve security, not to harm anyone. Their report is well-organized, thorough, and highly technical. Why are they making this public? They are doing so because, like all researchers, they realize that if they discovered this, so can someone else.
They also took the opportunity to alert Microsoft about their discovery, and Microsoft basically responded that it is not a problem that they seek to correct, as the vulnerability is not set by default, but through a misconfiguration. Microsoft has responded in similar fashion, for example, when a researcher found a multi-factor bypass in Outlook Web Services.
Schroeder and Christensen’s upcoming presentation is sure to be a fascinating revelation of what can truly go wrong when something as powerful as Microsoft’s Active Directory is not administered or managed correctly.
An easier way for an organization to avoid such a problem is to use a Public Key Infrastructure (PKI) platform that can help you avoid costly and dangerous misconfigurations.
Many modern organizations need the security and trust of a private PKI, but lack the expertise, the architectural know-how, or the money to build their own iron-clad infrastructure. Venafi’s Zero Touch PKI is a fully SaaS-based alternative to creating and running your own internal PKI. It can be configured and managed in any way you need, in conjunction with multiple Certificate Authorities, and with the options you need for security and traceability.