Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

CVE-2022–26923 aka Certifried

Exploited in the Wild
Reported by AttackerKB Worker
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Active Directory Domain Services Elevation of Privilege Vulnerability.

Add Assessment

1
Ratings
Technical Analysis

This vulnerability enables a low-privileged user to escalate privileges in a default Active Directory environment with the Active Directory Certificate Services (AD CS) installed. AD CS servers is Microsoft’s public key infrastructure (PKI) implementation, which enables the issuing of certificates. Since AD CS is coupled with Active Directory, certificates can be used to authenticate against the KDC via the PKINIT Kerberos extension. The identity of a domain computer account is provided by the DNS name in the certificate.

The owner of a computer account has write permission on the computer dNSHostName property. As a result, it is possible to set it to any existing DNS host name in the domain, which will be the DNS host name in the issued certificate. This certificate can then be used to authenticate against the KDC.

In order to achieve privilege escalation, the DNS host name is set to a valid Domain Controller (DC) host name, resulting in a successful authentication as the DC account. Being able to authenticate as the DC account gives enough privileges to impersonate a Domain Administrator.

Here is a common exploitation workflow:

  1. Using a low-privileged domain account, create a new computer account in the Active Directory. Note that any domain user is allowed to do so, as long as the user’s ms-DS-MachineAccountQuota property is greater than 0 (set to 10 by default).
  2. Set the newly created computer dNSHostName attribute to match the DC DNS host name.
  3. Request a certificate for this computer.
  4. Authenticate as the DC account with this certificate.
  5. Request a Service Ticket (TGS) impersonating a Domain Administrator account.

This attack has been fully automated in a Metasploit module (still a WIP as time of writing). The resulting TGS can be used by any Metasploit module and external tools to impersonate a Domain Administrator.

Microsoft released a patch on May 10, 2022.

General Information

Vendors

  • Microsoft

Products

  • Windows 10 Version 1809,
  • Windows Server 2019,
  • Windows Server 2019 (Server Core installation),
  • Windows 10 Version 1909,
  • Windows 10 Version 21H1,
  • Windows Server 2022,
  • Windows 10 Version 20H2,
  • Windows Server version 20H2,
  • Windows 11 version 21H2,
  • Windows 10 Version 21H2,
  • Windows 10 Version 1507,
  • Windows 10 Version 1607,
  • Windows Server 2016,
  • Windows Server 2016 (Server Core installation),
  • Windows 8.1,
  • Windows Server 2012 R2,
  • Windows Server 2012 R2 (Server Core installation)

Exploited in the Wild

Reported by:
Technical Analysis