adcs-snippets icon indicating copy to clipboard operation
adcs-snippets copied to clipboard

Published 20 hours ago verified publisher icon TrimarcJake

MsPKI-Certificate-Name-Flag

Open Kirchmeister opened this issue 1 year ago • 2 comments

Hi. I might be wrong and I didn't test it yet, but you are filtering the above setting for a 1 in "Find Templates with Bad Configs". Wouldn't a 9 be equally critical? I mean for renewals, it seems to be locked by this option, but isn't it the same risk for new certs as with a 1?

Kirchmeister avatar Jun 15 '23 10:06 Kirchmeister

This is interesting.

Is the attack path you envision:

  1. Attacker compromises users
  2. Attacker finds template vulnerable to ESC1
  3. Attacker requests template with the SAN of a high-value account
  4. Attacker finds template with msPKI-Certificate-Name-Flag set to 9
  5. Attacker requests a different template using the first template as "proof"

TrimarcJake avatar Jul 04 '23 18:07 TrimarcJake

Thanks for replying. Not sure exactly how you mean point 5. If you are able to request a malicious cert if the flag is set to 1 and the remaining patterns for ESC1 are matching, then you even might be able to request a new cert under 9 in the same way. That whole risk might not exist when the template is set to 9 and is applying to existing legit certs which haven’t been created by an malicious actor, as they initially have been created “clean”. But from the GUI description it looked to me like 9 may allow the escalation as well. I don’t have our prod environment in front of me and I also don’t have an lab environment for some testing.

Kirchmeister avatar Jul 04 '23 20:07 Kirchmeister