Difference between revisions of "Enterprise Certificate Authority"

From MgmtWiki
Jump to: navigation, search
(Problems)
(Problems)
Line 8: Line 8:
  
 
==Problems==
 
==Problems==
There have been multiple vulnerabilities reported to the US Government the top three in 2022 are for Microsoft AD.
+
In general, the problems are created by a mismatch between the [[MTLS]] authentication result and the identity of the principle in the enterprise network. There have been multiple vulnerabilities reported to the US Government the top three in 2022 are for Microsoft AD.
 
* [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691 CVE-2022-34691] An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege to System.
 
* [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691 CVE-2022-34691] An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege to System.
 
* [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26931 CVE-2022-26931] Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.
 
* [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26931 CVE-2022-26931] Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.

Revision as of 15:54, 8 February 2023

Full Title or Meme

Any Certificate Authority that is designed to apply to people, natural or otherwise, that are known to the Enterprise.

Context

Problems

In general, the problems are created by a mismatch between the MTLS authentication result and the identity of the principle in the enterprise network. There have been multiple vulnerabilities reported to the US Government the top three in 2022 are for Microsoft AD.

  • CVE-2022-34691 An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege to System.
  • CVE-2022-26931 Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.
  • CVE-2022-26923 A system is vulnerable only if both the Active Directory Certificate Services role and the Active Directory Domain Services role are installed on a server in the network. Note that they would not necessarily need to be on the same server.

Solutions

References