HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-12249Published Modified CNA canonical

CVE-2026-12249: Canonical ADSys Trust Store Poisoning via Plaintext HTTP Certificate Auto-Enrollment

An issue was discovered in Canonical ADSys upstream versions through v0.16.2. During Active Directory Certificate Services (AD CS) certificate auto-enrollment via the vendored Samba client script (internal/policies/certificate/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py), ADSys utilizes a plaintext HTTP connection (http://) instead of a secure HTTPS connection (https://) to request the CA certificate from the Active Directory Certificate Services server (GetCACert). An unauthenticated network attacker positioned between the managed Ubuntu host and the configured AD CS CA hostname can conduct a Man-in-the-Middle (MITM) attack. By intercepting the plaintext HTTP request, the attacker can supply an arbitrary, attacker-controlled Root CA certificate. Because the system automatically accepts this certificate and registers it into the local system trust store via update-ca-certificates, this results in system-wide trust store poisoning. Consequently, TLS clients utilizing the operating system trust store on the affected machine will accept rogue certificates for arbitrary domains, enabling persistent decryption and interception of subsequent TLS connections. This issue is resolved in version v0.16.3.

Metrics

CVSS v4.0
9.0
Severity
CRITICAL
Fixed in
0.9.2~20.04.2ubuntu0.1+esm2
Affected Products
6

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Trust store poisoning is the vulnerability class here, affecting Canonical ADSys versions through v0.16.2 on Ubuntu LTS and current releases. During Active Directory Certificate Services auto-enrollment, ADSys fetches the CA certificate over plaintext HTTP rather than HTTPS, allowing an unauthenticated attacker positioned on the network path between the managed Ubuntu host and the AD CS server to substitute an arbitrary root CA certificate. Successful exploitation causes the host's system-wide trust store to accept attacker-controlled certificates, enabling persistent interception and decryption of all subsequent TLS connections made by any application trusting the OS certificate store. A patched-image rebuild at v0.16.3 (and the corresponding Ubuntu LTS point releases) is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-12249 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built Ubuntu-based images that bundle ADSys. Coverage extends to derived images that inherit the affected ADSys package from a base layer.

Available
Triage

HarborGuard triage capability applies the CVSS v4.0 score of 9.0 (Critical) to each matched finding, weighted further by any per-environment compliance policies the customer has configured. Routed findings surface in the appropriate team inbox based on each organization's ownership and severity-routing rules.

Available
Patch

A patched-image rebuild at the applicable fix version (v0.16.3, or the corresponding Ubuntu 20.04, 22.04, and 24.04 point-release packages) becomes available through HarborGuard once the upstream fix is confirmed. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be positioned on the network path between the Ubuntu host and the AD CS CA server to intercept the plaintext HTTP certificate request.

  • AuthenticationNot required

    No credentials or account are required; the attack targets an unauthenticated HTTP request initiated by the ADSys client.

  • Victim interactionNot required

    No user action is needed; certificate auto-enrollment runs automatically as a system-level policy operation.

  • Attack complexityDetail

    Exploitation requires the attacker to achieve a man-in-the-middle position on the relevant network segment, introducing an environmental prerequisite, though no race condition or memory-layout dependency is involved.

Blast Radius

  • The attacker injects an arbitrary root CA certificate into the host's system-wide trust store via update-ca-certificates.
  • All TLS clients on the affected host that rely on the OS trust store accept rogue certificates signed by the attacker-controlled CA for any domain.
  • Subsequent HTTPS traffic from applications, package managers, and service agents on the host is transparently decrypted and readable by the attacker.
  • The attacker can also modify in-transit responses, injecting malicious payloads into software updates, API responses, or authentication flows.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of ingestion for any image carrying ADSys below v0.16.3, across all Ubuntu LTS variants listed in the advisory. For customers with auto-remediation enabled, HarborGuard rebuilds the image at the appropriate fix version (v0.16.3 or the Ubuntu-specific point-release equivalent), executes regression tests, and opens a pull request against affected workloads; median time to merged patch PR for critical-severity issues is around 90 minutes. For environments where auto-remediation is gated by compliance policy approval, the rebuilt image is queued and held pending approval. Until the patched image is deployed, compensating controls available through HarborGuard network policy tooling include isolating managed Ubuntu hosts from direct routable access to the AD CS hostname, enforcing egress filtering to restrict certificate enrollment traffic to known-safe paths, and flagging any image that includes ADSys for manual review before promotion to production registries.

See how HarborGuard automates this

Fix available

0.9.2~20.04.2ubuntu0.1+esm20.16.30.16.3~22.04.2ubuntu0.22.04.10.16.3~24.04.2ubuntu0.24.04.10.16.4ubuntu1
Patch commits
Affected packages
  • unknown
    < 0.16.3 (from 0.13.0)
  • Canonical / Ubuntu 20.04 LTS
    Fixed in 0.9.2~20.04.2ubuntu0.1+esm2
  • Canonical / Ubuntu 22.04 LTS
    Fixed in 0.16.3~22.04.2ubuntu0.22.04.1
  • Canonical / Ubuntu 24.04 LTS
    Fixed in 0.16.3~24.04.2ubuntu0.24.04.1
  • Canonical / Ubuntu 25.10
    Fixed in 0.16.3
  • Canonical / Ubuntu 26.04 LTS
    Fixed in 0.16.4ubuntu1
CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/S:N/AU:Y/R:I/V:D/RE:L/U:Red
References