FKIE_CVE-2026-12249

Vulnerability from fkie_nvd - Published: 2026-06-22 18:16 - Updated: 2026-06-22 20:18
Summary
An issue was discovered in Canonical ADSys upstream versions through v0.16.2. During Active Directory Certificate Services (AD CS) certificate auto-enrollment via the vendored Samba client script (internal/policies/certificate/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py), ADSys utilizes a plaintext HTTP connection (http://) instead of a secure HTTPS connection (https://) to request the CA certificate from the Active Directory Certificate Services server (GetCACert). An unauthenticated network attacker positioned between the managed Ubuntu host and the configured AD CS CA hostname can conduct a Man-in-the-Middle (MITM) attack. By intercepting the plaintext HTTP request, the attacker can supply an arbitrary, attacker-controlled Root CA certificate. Because the system automatically accepts this certificate and registers it into the local system trust store via update-ca-certificates, this results in system-wide trust store poisoning. Consequently, TLS clients utilizing the operating system trust store on the affected machine will accept rogue certificates for arbitrary domains, enabling persistent decryption and interception of subsequent TLS connections. This issue is resolved in version v0.16.3.
Impacted products
Vendor Product Version

{
  "affected": [
    {
      "affectedData": [
        {
          "collectionURL": "https://github.com/ubuntu",
          "defaultStatus": "unaffected",
          "packageName": "adsys",
          "repo": "https://github.com/ubuntu/adsys",
          "versions": [
            {
              "lessThan": "0.16.3",
              "status": "affected",
              "version": "0.13.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://launchpad.net/ubuntu/focal",
          "defaultStatus": "unaffected",
          "packageName": "adsys",
          "platforms": [
            "Linux"
          ],
          "product": "Ubuntu 20.04 LTS",
          "repo": "https://launchpad.net/ubuntu/+source/adsys",
          "vendor": "Canonical",
          "versions": [
            {
              "status": "unaffected",
              "version": "0.9.2~20.04.2ubuntu0.1+esm2",
              "versionType": "dpkg"
            }
          ]
        },
        {
          "collectionURL": "https://launchpad.net/ubuntu/jammy",
          "defaultStatus": "affected",
          "packageName": "adsys",
          "platforms": [
            "Linux"
          ],
          "product": "Ubuntu 22.04 LTS",
          "repo": "https://launchpad.net/ubuntu/+source/adsys",
          "vendor": "Canonical",
          "versions": [
            {
              "status": "unaffected",
              "version": "0.16.3~22.04.2ubuntu0.22.04.1",
              "versionType": "dpkg"
            }
          ]
        },
        {
          "collectionURL": "https://launchpad.net/ubuntu/noble",
          "defaultStatus": "affected",
          "packageName": "adsys",
          "platforms": [
            "Linux"
          ],
          "product": "Ubuntu 24.04 LTS",
          "repo": "https://launchpad.net/ubuntu/+source/adsys",
          "vendor": "Canonical",
          "versions": [
            {
              "status": "unaffected",
              "version": "0.16.3~24.04.2ubuntu0.24.04.1",
              "versionType": "dpkg"
            }
          ]
        },
        {
          "collectionURL": "https://launchpad.net/ubuntu/questing",
          "defaultStatus": "unaffected",
          "packageName": "adsys",
          "platforms": [
            "Linux"
          ],
          "product": "Ubuntu 25.10",
          "repo": "https://launchpad.net/ubuntu/+source/adsys",
          "vendor": "Canonical",
          "versions": [
            {
              "status": "unaffected",
              "version": "0.16.3",
              "versionType": "dpkg"
            }
          ]
        },
        {
          "collectionURL": "https://launchpad.net/ubuntu/resolute",
          "defaultStatus": "unaffected",
          "packageName": "adsys",
          "platforms": [
            "Linux"
          ],
          "product": "Ubuntu 26.04 LTS",
          "repo": "https://launchpad.net/ubuntu/+source/adsys",
          "vendor": "Canonical",
          "versions": [
            {
              "status": "unaffected",
              "version": "0.16.4ubuntu1",
              "versionType": "dpkg"
            }
          ]
        }
      ],
      "source": "security@ubuntu.com"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in Canonical ADSys upstream versions through v0.16.2. During Active Directory Certificate Services (AD CS) certificate auto-enrollment via the vendored Samba client script (internal/policies/certificate/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py), ADSys utilizes a plaintext HTTP connection (http://) instead of a secure HTTPS connection (https://) to request the CA certificate from the Active Directory Certificate Services server (GetCACert). An unauthenticated network attacker positioned between the managed Ubuntu host and the configured AD CS CA hostname can conduct a Man-in-the-Middle (MITM) attack. By intercepting the plaintext HTTP request, the attacker can supply an arbitrary, attacker-controlled Root CA certificate. Because the system automatically accepts this certificate and registers it into the local system trust store via update-ca-certificates, this results in system-wide trust store poisoning. Consequently, TLS clients utilizing the operating system trust store on the affected machine will accept rogue certificates for arbitrary domains, enabling persistent decryption and interception of subsequent TLS connections. This issue is resolved in version v0.16.3."
    }
  ],
  "id": "CVE-2026-12249",
  "lastModified": "2026-06-22T20:18:53.300",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 6.0,
        "source": "security@ubuntu.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "YES",
          "Recovery": "IRRECOVERABLE",
          "Safety": "NEGLIGIBLE",
          "attackComplexity": "HIGH",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.0,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "PROOF_OF_CONCEPT",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "RED",
          "subAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "HIGH",
          "userInteraction": "NONE",
          "valueDensity": "DIFFUSE",
          "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:I/V:D/RE:L/U:Red",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "LOW"
        },
        "source": "security@ubuntu.com",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2026-12249",
          "options": [
            {
              "exploitation": "none"
            },
            {
              "automatable": "no"
            },
            {
              "technicalImpact": "total"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2026-06-22T17:30:38.451893Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2026-06-22T18:16:31.917",
  "references": [
    {
      "source": "security@ubuntu.com",
      "url": "https://github.com/ubuntu/adsys/commit/8b1939f96d3827b4426eb06c1ced5bf317b0a99d"
    },
    {
      "source": "security@ubuntu.com",
      "url": "https://ubuntu.com/security/CVE-2026-12249"
    }
  ],
  "sourceIdentifier": "security@ubuntu.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-348"
        }
      ],
      "source": "security@ubuntu.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…