ESC15
Arbitrary Application Policy Injection in V1 Templates (CVE-2024-49019 "EKUwu")
Description
"ESC15, also known by the community name "EKUwu" (research by Justin Bollinger from TrustedSec) and tracked as CVE-2024-49019, describes a vulnerability affecting unpatched CAs. It allows an attacker to inject arbitrary Application Policies into a certificate issued from a Version 1 (Schema V1) certificate template. If the CA has not been updated with the relevant security patches (Nov 2024), it will incorrectly include these attacker-supplied Application Policies in the issued certificate. This occurs even if these policies are not defined in, or are inconsistent with, the template's intended Extended Key Usages (EKUs), thereby granting the certificate unintended capabilities.
For instance, an attacker could request a certificate from a V1 "WebServer" template (which typically only permits "Server Authentication" EKU) and, through this vulnerability, inject the "Client Authentication" OID (1.3.6.1.5.5.7.3.2) as an Application Policy. The resulting certificate could then potentially be used for client logon, contrary to the template's design. This attack is similar in principle to ESC1 (Enrollee Supplies Subject for SAN abuse) or ESC2 (Any Purpose EKU abuse) but specifically leverages the szOID_APPLICATION_CERT_POLICIES (Application Policies) certificate extension.
Prerequisite for ESC15: Based on current understanding and the exploitation details, this vulnerability appears to primarily affect Version 1 templates that also have the "Enrollee supplies subject" (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT) setting enabled. This combination allows the attacker to provide subject information (which might be necessary for the target use case) alongside the malicious Application Policies in the CSR.
Technical Deep Dive (Pre-Patch Behavior):
Version 1 Template Behavior: V1 templates are simpler than V2+ templates. They do not have a distinct "Application Policies" tab in their configuration. By default, when a CA processes a request for a V1 template, it often copies the EKUs defined in the template into both the EKU extension and the Application Policies extension of the issued certificate.
The Vulnerability (CVE-2024-49019 on Unpatched CAs): When an attacker submits a CSR for a vulnerable V1 template (with "Enrollee supplies subject") to an unpatched CA, and that CSR includes an attacker-specified Application Policies extension, the CA would incorporate this attacker-supplied extension into the issued certificate as-is. It would not necessarily override, strip, or validate these injected policies against the template's defined EKUs.
Impact: An attacker could enroll for such a V1 template and inject potent Application Policy OIDs. For example:
"Client Authentication" (OID
1.3.6.1.5.5.7.3.2) to enable network logon."Certificate Request Agent" (OID
1.3.6.1.4.1.311.20.2.1) to enable the certificate to act as an enrollment agent (leading to an ESC3-like attack). Windows systems (KDC for Kerberos PKINIT, or Schannel for TLS) might honor these injected Application Policies for authentication or enrollment agent purposes, effectively bypassing the EKU restrictions intended by the V1 template." — Oliver Lyak
Configuration
For this vulnerability, we can use the default "WebServer" template if we allow "Authenticated Users" (in our case. You could be creative and make a better exploitation path for this) to enroll the certificate.
Written by ruycr4ft
Last updated