We're headed to GridSecCon 2024, October 22-25 in Minneapolis, MN! Learn more here
Schedule a Demo
Blog July 26, 2021 CES/CEP, Cybersecurity, Exploits, Known Issues, Web Enrollment

Microsoft Security Advisory for ADCS exploit – ADV210003

by Mark B. Cooper

This morning we provided details to our existing support and co-management customers on a recent notice of vulnerability to certain Microsoft ADCS configurations. The exploit involves NTLM and leveraging some ADCS PKI components. Full details can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV210003.

Got a PKI Problem?

We can help! Learn more about custom PKI consulting and assessments.

Discover Consulting for Every PKI Need

Summary

In environments with NTLM authentication still enabled in Active Directory and when using ADCS Web Enrollment portal (/certsrv) or ADCS CES/CEP (Certificate Enrollment Web Services protocol), an attacker can trick Active Directory into providing NTLM credentials as a domain controller and then self-elevate to Domain or Enterprise Admins. This is essentially an NTLM Relay Attack.

Mitigation

This can be resolved by following recommendations in https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429. These options include:

  • Disabling NTLM for Active Directory. The most thorough but potentially large undertaking in an environment due to potential known or unknown compatibility issues.
  • Disabling NTLM for servers running ADCS
  • Disabling NTLM for the ADCS Web Enrollment and CES/CEP web application pools.
  • Enable Extended Protection for ADCS Web Enrollment and CEs/CEP Web application pools.

Considerations

While this attack vector has not been seen as exploited, we suspect it will be due to the ease of elevation. Additionally, when transitioning from NTLM to Kerberos authentication, you should give careful consideration to the URL being used to access the web enrollment website. If you are using a URL other than the hostname, such as a CNAME alias like https://certs/certsrv or https://certs.contoso.com/certsrv these will need to be added as Kerberos SPNs to the server running the website. NTLM did not require this step.

We will be releasing a script shortly to assist in the discovery of your AD and server configuration to indicate which systems and environments are impacted. If you would like to receive notification of that availability, please do let us know.

Related Resources

  • Blog
    May 25, 2023

    Escalating from child domain’s admins to enterprise admins in 5 minutes by abusing AD CS, a follow up

    Active Directory, Certificates, Exploits, Permissions, PKI
  • Blog
    October 19, 2022

    The mystery of “Valid existing certificate” setting in ADCS certificate templates – demystified

    Certificate Requests, Certificate Templates, Enrollment, Known Issues, PKI
  • Blog
    March 24, 2022

    Certificate renewal request is placed in pending state when Valid Existing Certificate is selected in certificate template

    Certificate Requests, Certificate Templates, Enrollment, Known Issues, PKI

Mark B. Cooper

President & Founder at PKI Solutions, Leading PKI Cybersecurity Subject Matter Expert, Author, Speaker, Trainer, Microsoft Certified Master.

View All Posts by Mark B. Cooper

Comments

  • The PetitPotam POC for NTLM relay via ADCS web services seems to be based on prior work from SpecterOps whitepaper ‘Certified_Pre-Owned.pdf’ from June 2021 and due to be presented at Blackhat 2021 next week. This is an interesting and scary document detailing a number of know, but little understood, vulnerabilities in a (even slightly) misconfigured ADCS deployment. Certainly worth basing your next risk assessment on.

    • Good point. We will be adding this and others to our Advanced Assessments to review with enterprises.

  • I implemented the recommendation from microsoft and blocked NTLM incoming and change the authentication to negotiate:kerberos, but now i always get an RPC error when i request a certificate. What can I do now? I hope you have an Idea

  • Question about NDES, it does not have Windows authentication enabled by default but SCEP App pool is using NTLM there . . Is there any possibility to change behavior to Kerberos without disabling NTLM for whole server? Will it even work =)

    Did you do any test on NDES site?

    Thanks!

    • Yes, you can disable NTLM just for the web enrollment site and not the entire server. SCEP/NDES were not identified as part of the vulnerability.

Leave a Reply

Your email address will not be published. Required fields are marked *