Author: Fabian Crespo
Introduction
Active Directory Certificate Services (AD CS) is a critical component of the security infrastructure in many healthcare organizations. It provides a robust framework for managing authentication and encryption via digital certificates. The sensitive nature of healthcare data, which includes patient records and confidential medical information, makes it imperative for these organizations to implement stringent security measures around their certificate services.
ESC 1 – Misconfigured Certificate Template
Description
The ESC1 vulnerability allows attackers to exploit weak configurations in AD CS, potentially gaining unauthorized elevated privileges within an organization’s network. The ability of users to have an ENROLLEE_SUPPLIES_SUBJECT allows the certificate requestor to provide an alternate Subject Alternative Name (SAN). As a result, if the template allows client authentication and any user to request the certificate, then a malicious actor can authenticate on behalf of another user. As a result, a malicious actor could authenticate on behalf of a Domain Administrator and compromise the domain. With Domain Administrator privileges, malicious actors might be able to access unauthorized patient data and deploy ransomware.
Preventative Measures
- Disable ENROLLEE_SUPPLIED_SUBJECT to prevent alternative SAN requests.
- Ensure non-privileged users can request certificates.
- Enable auditing and logging for AD CS and review logs regularly to detect potential threats.
- Ensure the latest security updates and patches are applied to your AD CS server and critical systems.
ESC 8 – NTLM Relay To AD CS Web Enrollment Pages
Description
AD CS supports HTTP-based enrollment through the use of dedicated certificate servers. These HTTP-based certificate enrollments are susceptible to NTLM relay attacks. An attacker might be able to elevate privileges by obtaining an authentication certificate on behalf of a Domain Controller (DC). Since Domain Controllers have DC Synchronization capabilities, they would be able to replicate and obtain the credentials of all domain users, including Domain Administrators. As a result, a malicious actor might be able to utilize this vulnerability to elevate privileges within the domain. After elevating privileges, they might be able to access, modify, and deny patient data stored within all domain workstations. Additionally, malicious actors could deploy ransomware via Group Policy with Domain Administrator privileges.
Preventative Measures
- Refer to Microsoft’s KB5005413 for mitigation guidance
- Remote Procedure Call (RPC) filters may also be implemented to block remote access to the interface UUIDs necessary for this exploit.
- Restrict Outbound New Technology LAN Manager (NTLM) Authentication.
- Disable AD CS Web Enrollment.
