Knowledge Graph

account_tree fullscreen

ESC7 Vulnerable Certificate Authority Access Control

CA has permissions securing CA Actions, accessed through certsrv.msc

We care about: - ManageCA (effective CA Admin) - ManageCertificates (effective Certificate Manager)

The ManageCA permission grants a principal the ability to perform “Administrative” CA actions, including the modification of persistent configuration data. This includes the EDITF_ATTRIBUTESUBJECTALTNAME2 flag, allowing any principal with the ManageCA permission to fixate ESC6. This can be done with PSPKI’s Enable-PolicyModuleFlag cmdlet.

The ManageCertificates permission allows the principal to approve pending certificate requests, negating the “Manager Approval” Issuance Requirement/protection. So while it can’t be used on its own to compromise the domain, it can function as a protection bypass.

These permissions enable previous ESC Attacks, thus must be chained.