SID-Spoofing Vulnerability

Dirk-jan Mollema recently described how to extend Certifried-like attacks to Intune. While he used AD CS and NDES in the article, the problems described are not specific to them and generally apply to all PKIs using Intune for SCEP enrollment, including SCEPman.

However, there are some additional constraints for other PKIs. Most importantly, as this builds upon the general Certifried vulnerability, it requires the CA certificate to be in the domain's NTAuth store. While AD CS is by default in the NTAuth store, SCEPman is not, so SCEPman users may only be affected if they explicitly added the CA certificate to the NTAuth store. If you haven't done it, you are safe. Some use case require adding the CA certificate to the NTAuth store, though, most notably Domain Controller certificates and certificate-based RDP authentication. If your CA certificate is in the NTAuth store and you enable Intune enrollment on SCEPman, this will usually allow your Intune Admins to exploit this and enroll certificates with which they can take over the domain, i.e. your Intune Admins should be treated as Tier-0-Admins.

But Dirk-jan described another, more severe problem. Intune seemingly does not check whether a user-supplied SID matches the user's or device's onPremisesSecurityIdentifier attribute, cancelling the mitigations Microsoft has undertaken with its enforcement of Strong Mapping. A user without elevated rights (well, local admin rights on their machine may or may not be necessary) can enroll a certificate with the SID of another user. The user still needs to get the other user's UPN into the certificate, for which we don't currently know an existing exploit, but it is one security hurdle less. For device certificates, it is even worse and Dirk-jan outlined the specific requirements with which a normal user can enroll a certificate that lets them authenticate as Domain Controller system and take over the machine.

If you do have the SCEPman CA certificate in the NTAuth store and you want to prevent the user-based attack, you can set AppConfig:IntuneValidation:AllowRequestedSidExtension to false. This will filter out SAN URIs containing SIDs, including spoofed ones. You can set AppConfig:AddSidExtension to true to let SCEPman write the verified SID from the onPremisesSecurityIdentifier attribute into the certificate instead. This approach is not susceptible to security vulnerabilities, but is currently limited to user certificates.