ICertPassage (MS-ICPR) RPC interface does not enforce encryption, NTLM authentication attempts in the domain network can be relayed to the RPC interface to request certificates for other domain principals.
The misconfiguration was disclosed by Sylvain Heiniger in this blogpost.
Vulnerability Details
According to the research, the ESC11 vulnerability is present if theIF_ENFORCEENCRYPTICERTREQUEST interface flag is not set on the certificate authority.
Detection
While Certify does not facilitate abuse-functions for this vulnerability type, we can search for certificate authorities with an unprotected RPC interface using theenum-cas --filter-vulnerable command from Certify. For more information about the command and its parameters, please refer to the Command Overview page.