Description
An issue was discovered in Canonical ADSys upstream versions through v0.16.2. During Active Directory Certificate Services (AD CS) certificate auto-enrollment via the vendored Samba client script (internal/policies/certificate/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py), ADSys utilizes a plaintext HTTP connection (http://) instead of a secure HTTPS connection (https://) to request the CA certificate from the Active Directory Certificate Services server (GetCACert). An unauthenticated network attacker positioned between the managed Ubuntu host and the configured AD CS CA hostname can conduct a Man-in-the-Middle (MITM) attack. By intercepting the plaintext HTTP request, the attacker can supply an arbitrary, attacker-controlled Root CA certificate. Because the system automatically accepts this certificate and registers it into the local system trust store via update-ca-certificates, this results in system-wide trust store poisoning. Consequently, TLS clients utilizing the operating system trust store on the affected machine will accept rogue certificates for arbitrary domains, enabling persistent decryption and interception of subsequent TLS connections. This issue is resolved in version v0.16.3.
Published: 2026-06-22
Score: 9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ADSys auto‑enrollment component retrieves the CA certificate from an AD CS server using an unencrypted HTTP request. An attacker who can observe traffic between the Ubuntu host and the AD CS server can substitute any attacker‑controlled root CA certificate. The system automatically installs this certificate into the local trust store via update‑ca‑certificates, effectively poisoning it. Consequently, all TLS clients on the affected machine will trust rogue certificates for arbitrary domains, allowing persistent interception and decryption of encrypted traffic. This flaw exemplifies improper restriction of operations within a trusted computing base (CWE‑348).

Affected Systems

The vulnerability affects Canonical ADSys versions up through 0.16.2 installed on Ubuntu 20.04 LTS, 22.04 LTS, 24.04 LTS, 25.10, and 26.04 LTS. All systems using the default ADSys package on these releases are susceptible until upgraded to 0.16.3 or later.

Risk and Exploitability

The CVSS score of 9 indicates critical severity, and the EPSS score is not available; the vulnerability is not listed in the CISA KEV catalog. An unauthenticated attacker positioned between the host and the AD CS server can perform a man‑in‑the‑middle attack by intercepting the plaintext HTTP request, supplying a malicious certificate, and thereby compromising all subsequent TLS traffic from the host. The attack requires only network visibility and has no additional authentication or privileged conditions.

Generated by OpenCVE AI on June 22, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Canonical ADSys to v0.16.3 or later, which eliminates the plaintext HTTP certificate request and enforces HTTPS.
  • If an upgrade cannot be applied immediately, explicitly disable the auto‑enrollment over HTTP by removing or disabling the gp_cert_auto_enroll_ext.py script in the ADSys policy configuration until the patch is available.
  • Apply network controls to block outbound HTTP traffic from Ubuntu hosts to the AD CS server, ensuring that only secure HTTPS connections are permitted.

Generated by OpenCVE AI on June 22, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Canonical ADSys upstream versions through v0.16.2. During Active Directory Certificate Services (AD CS) certificate auto-enrollment via the vendored Samba client script (internal/policies/certificate/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py), ADSys utilizes a plaintext HTTP connection (http://) instead of a secure HTTPS connection (https://) to request the CA certificate from the Active Directory Certificate Services server (GetCACert). An unauthenticated network attacker positioned between the managed Ubuntu host and the configured AD CS CA hostname can conduct a Man-in-the-Middle (MITM) attack. By intercepting the plaintext HTTP request, the attacker can supply an arbitrary, attacker-controlled Root CA certificate. Because the system automatically accepts this certificate and registers it into the local system trust store via update-ca-certificates, this results in system-wide trust store poisoning. Consequently, TLS clients utilizing the operating system trust store on the affected machine will accept rogue certificates for arbitrary domains, enabling persistent decryption and interception of subsequent TLS connections. This issue is resolved in version v0.16.3.
Title Canonical ADSys Trust Store Poisoning via Plaintext HTTP Certificate Auto-Enrollment
Weaknesses CWE-348
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/S:N/AU:Y/R:I/V:D/RE:L/U:Red'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-06-22T17:30:57.314Z

Reserved: 2026-06-15T08:01:59.335Z

Link: CVE-2026-12249

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T18:30:15Z

Weaknesses
  • CWE-348

    Use of Less Trusted Source