Tag: Policy module

New ESC15 vulnerability discovered in Active Directory Certificate Services - easy-to-implement countermeasures

The purposes for which a digital certificate may be used are controlled via the "Key Usage" and "Extended Key Usage" certificate extensions. In the "Extended Key Usage" certificate extension, the extended key uses for which the certificate may be used.

However, there is another certificate extension called "Application Policies" for certificates issued by a Microsoft Certification Authority, which also contains a list very similar to the Extended Key Usages extension.

Justin Bollinger from TrustedSec has found outthat there are offline certificate requests against Schema version 1 certificate templates is possible (similar to the Security identifier extension), any Application Policies in the certificate request, which are transferred unchanged to the issued certificate and can then be used for an attack on the overall Active Directory structure. The attack was christened ESC15.

Continue reading „Neue Sicherheitslücke ESC15 in Active Directory Certificate Services entdeckt – einfach umzusetzende Gegenmaßnahmen“

A policy module to tame them all: Introducing the TameMyCerts Policy Module for the Microsoft Certification Authority.

As a Certification Authority operator, you are (among other things) responsible for the identification of the enrollees and the confirmation of the requested identities. The fact that this task is carried out conscientiously and without error is the central pillar of the trust placed in the certification body. Well-known companies are already failed in this task, even had to file for insolvency as a result of misrepresentations and / or were taken over by the big players in the market sensitive punished.

In many cases, we as (Microsoft) PKI operators in companies (regardless of the associated quality) are able to delegate our task of uniquely identifying an applicant to the Active Directory. In many cases, however, we unfortunately also have to instruct our certification authority(ies) to simply issue everything that is requested.

Continue reading „Ein Policy Modul, um sie zu bändigen: Vorstellung des TameMyCerts Policy Moduls für Microsoft Active Directory Certificate Services“

Changes to Certificate Issuance and Certificate-Based Logon to Active Directory with the May 10, 2022 Patch for Windows Server (KB5014754)

With the May 10, 2022 patch, Microsoft is attempting to patch a vulnerability in the Active Directory in which the certificate-based enrollment (commonly known as PKINIT or also Smartcard Logon) to close.

The update changes both the behavior of the Certification Authority as well as the behavior of Active Directory when processing certificate-based logins.

Continue reading „Änderungen an der Zertifikatausstellung und an der zertifikatbasierten Anmeldung am Active Directory mit dem Patch für Windows Server vom 10. Mai 2022 (KB5014754)“

The "Application Policies" certificate extension

The purposes for which a digital certificate may be used are controlled via the certificate extensions "Key Usage" and "Extended Key Usage".

In the "Extended Key Usage" certificate extension, the extended key uses for which the certificate may be used.

However, there is another certificate extension called "Application Policies" for certificates issued by a Microsoft Certification Authority, which also contains a list very similar to the Extended Key Usages extension.

Continue reading „Die „Application Policies“ Zertifikaterweiterung“

New certificates are regularly requested via Autoenrollment

Assume the following scenario:

  • A certificate template is configured for automatic request and issuance (AutoEnrollment).
  • Users or computers apply for new certificates at regular intervals and long before the defined renewal period.
Continue reading „Es werden regelmäßig neue Zertifikate über Autoenrollment beantragt“

The key algorithm of certificate requests is not checked by the certification authority's policy module

Assume the following scenario:

  • A certificate template is configured to use elliptic curve based keys (e.g. ECDSA_P256).
  • As a result, a minimum key length of 256 bits is configured.
  • Nevertheless, certificate requests that use other ECC curves or RSA-based keys are also signed.
Continue reading „Der Schlüsselalgorithmus von Zertifikatanforderungen wird vom Policy Modul der Zertifizierungsstelle nicht überprüft“

Active Directory forest compromised by EDITF_ATTRIBUTESUBJECTALTNAME2 flag

In net circulate unfortunately much at many Instructions (also the big players are not excluded from this, not even Microsoft itself or the Grand Master Komar), which fatally recommends that the EDITF_ATTRIBUTESUBJECTALTNAME2 flag should be set on the certification authority - supposedly to be able to issue Subject Alternative Name (SAN) extension certificates for manually submitted certificate requests.

Unfortunately, this approach is not only unnecessary, it also has some unpleasant side effects, which in the worst case can help an attacker to take over the entire Active Directory forest.

Continue reading „Gefährdung der Active Directory Gesamtstruktur durch das Flag EDITF_ATTRIBUTESUBJECTALTNAME2“
en_USEnglish
de_DEDeutsch en_USEnglish