Info: SECURITY ALERT: Microsoft CA - Risk of Unauthorized Enrollment

Applies To:

All versions of Venafi™ Encryption Director and Venafi Trust Protection Platform 14.1


Venafi has identified a vulnerability with the Microsoft Certificate Authority integration in product versions that rely upon a shared COM+ service. In those versions, the credentials used to access the Microsoft CA are assigned to a system level "Venafi COM+ Service" that is used by all CA templates and CA Import objects that interface with the Microsoft CA.  As a result any user with some knowledge of the Microsoft CA, and who has rights to create objects in the Policy tree, has the ability to create their own CA templates and subsequently enroll certificates. This means that they could violate enterprise standards and bypass enterprise controls.

Venafi has redesigned the Microsoft CA integration in Trust Protection Platform 14.2 to eliminate this vulnerability.  Communication with the Microsoft CA no longer relies upon a shared COM+ service and users are now required to assign credentials to every instance of a Microsoft CA template.


Recommended Action:

Customers who have integrated with a Microsoft CA are strongly encouraged to:

  1. Upgrade to Venafi Trust Protection Platform 14.2; or
  2. Implement an administrative notification that is triggered whenever a Microsoft CA template object is created (i.e. whenever the "Admin UI - Object Created" event is logged and the value of Text2 = "Microsoft CA").
    1. Customers interested in an additional level of security can create and apply an approval workflow at Stage 500, thereby affording administrators the opportunity to review and approve every request submitted to their CA.  The workflow should be set up in such a manner that it cannot be blocked by non-administrators.

More Info:

Refer to the product documentation, README, and knowledge base article for more details about the changes that were made to Microsoft CA integration in Trust Protection Platform 14.2.

Was this article helpful?
0 out of 0 found this helpful