CVE-2022-26923: 
vulnerability analysis and mitigation

CVE-2022-26923 is an Active Directory Domain Services Elevation of Privilege vulnerability discovered by Oliver Lyak and disclosed on May 10, 2022. The vulnerability affects Active Directory (AD) and Active Directory Certificate Services (AD CS), allowing low-privileged users to escalate privileges through certificate-based authentication. In default installations of AD CS, attackers can exploit this vulnerability by requesting an authentication certificate and using it to impersonate another computer account, potentially leading to a full domain takeover (Semperis Blog).

The vulnerability stems from two primary conditions: the ability to change a computer account's dNSHostName to match another computer account, and the presence of certificate templates configured with the SubjectAltRequireDns flag. In default AD installations, any Authenticated User can add machine accounts (limited to 10 by default) and modify their dNSHostName attribute. The vulnerability occurs because certificate-based authentication would not account for a dollar sign ($) at the end of a machine name, allowing certificates to be spoofed in various ways (Semperis Blog).

The exploitation of this vulnerability can lead to privilege escalation within an AD domain, potentially resulting in full domain takeover. Attackers can target any active computer within AD, including domain controllers, and use the compromised access to perform various malicious actions such as configuring resource-based constrained delegation (RBCD) or accessing services like WinRM, RDP, and IIS (Semperis Blog).

Microsoft released patches for this vulnerability in the May 2022 security updates. The patch introduces changes that prevent accounts with Validated write to DNS host name permission from changing the dNSHostName attribute to match another account on patched DCs. Additional mitigations include restricting the ability of low-privileged users to create machine accounts, changing certificate templates from using DNS name to User Principal Name (UPN), and configuring certificate templates to require manager approval for enrollment (KB5014754).