ESC6
Last updated
Was this helpful?
Last updated
Was this helpful?
ESC6 occurs when a Certificate Authority (CA) has the EDITF_ATTRIBUTESUBJECTALTNAME2 flag enabled in its configuration. This flag allows certificate requesters to specify arbitrary Subject Alternative Name (SAN) values. If Microsoft’s May 2022 security update for has not been applied, the CA may be vulnerable to privilege escalation.
Under these conditions, any certificate template that supports Client Authentication and is enrollable by low-privileged users becomes a potential attack vector. This makes ESC6 similar in effect to ESC1, as an attacker can request a certificate with a forged SAN, impersonating a privileged user. Even the default "User" template could be exploited in this manner, allowing a standard domain user to escalate to a domain administrator.
Access to an account that has at least ONE of the following permissions over a template:
The CA has the EDITF_ATTRIBUTESUBJECTALTNAME2 flag set.
Security patch for CVE-2022-26932 has not been applied to the CA
Access to an account which is permitted to enroll in a template which also supports Client Authentication. (The default user template is sufficient in most cases).
Once retrieved we can follow the remainder of the steps as per ESC1.
Certify can be used to check the Certificate Authorities for the EDITF_ATTRIBUTESUBJECTALTNAME2 flag.
The steps to perform the attack are almost identical to ESC1 except we pick the default "User" template or any other candidate template if required.
After retrieval, we can follow the remainder of the steps within ESC1 to complete the attack.
Remove the flag EDITF_ATTRIBUTESUBJECTALTNAME2 from the Certificate Authority.
Run the following on the Certificate Authority as Domain Administrator.
After doing so, restart the service to allow changes to take place.
