Microsoft Dynamics 365: Wildcard Certificate with a private Key for everyone

For the cloud application "Dynamics 365" Microsoft used a single wildcard certificate for all instances. At least in a test version it was possible to extract the private key and one could've potentially attacked all other customers. Microsoft first denied that there is a problem.

Dieser Artikel ist auch auf Deutsch verfügbar.

In a cloud ERP product Microsoft used the same certificate for all customer instances for HTTPS connections. The software developer Matthias Gliwka was able to extract the private key from a so-called sandbox instance. This could've been used for a man in the middle attack on users of other instances.

With the cloud version of Dynamics 365 for operations every customer gets an instance of the software on his own server. The sandbox version is meant to be a test environment. The webinterfaces of these systems used an HTTPS wildcard certificate that was valid for *.sandbox.operations.dynamics.com. It was issued by Microsofts own certificate authority.

Remote access allows extracting the private Key

Customers can log into the sandbox server via Microsoft's Remote Desktop Protocol (RDP). As the customer has direct access to the server it is not difficult to extract the private key belonging to the certificate and download it.

The key was marked as non-exportable, however that's not really a protection. There are various tools that allow to circumvent that. Matthias Gliwka created a small custom tool to get access to the key.

With the help of the private key it's possible to perform man in the middle attacks on other users, as the certificate for all instances is identical. If an attacker is in the same network as his victim he could forward all connections to a Dynamics 365 instance to his own server. There he could run a phishing page that cannot be distinguished from the original interface.

It wasn't clear for Gliwka at that point if the same problem exists for the production instance as well, as he didn't have access to one. However the production instance also uses a wildcard certificate - valid for *.operations.dynamics.com.

Gliwka contacted Microsofts Security Response Center back in August. In a first reply he was told that they didn't believe this is a security problem, as the attacker needs administration rights on the server. It seems therefore that Microsoft initially didn't understand that the key from one instance can be used to attack other customers.

In a second mail Gliwka tried to describe the problem in more detail. That mail was never answered.

After that Gliwka directly contacted a person working for Microsoft's certificate authority. The person told him that Microsoft's security team wasn't able to find his mail. After he re-sent the mail they first still couldn't find it, but a few days later he was told that they foundit now and are "actively engaged". However after that nothing happened.

Microsoft support gives reported phone number of Marine Spill Response Corp

Gliwka now tried to contact Microsoft's support chat and asked them for a phone number of the MSRC - the abbreviation of Microsoft's Security Response Center. He got a phone number, however that belonged to a company named "Marine Spill Response Corp" - also abbreviated MSRC. This company has nothing to do with Microsoft, it is handling accidents in the oil industry.

In the end Gliwka contacted Golem.de, hoping that this would get some attention for the problem. According to the rules for certificate authorities, the so-called Baseline Requirements, certificates with a compromised private key should be revoked within 24 hours. The author of this text reported this problem to Mozilla's bug tracker and also informed a Chrome developer and a representative from Digicert.

Microsoft doesn't run its own root certificate authority, the Microsoft certificates are indirectly signed by Digicert. Therefore Digicert is indirectly responsible for the revocation.

When Mozilla contacted Microsoft things were solved quickly

That finally caused some action on Microsoft's side. Representatives from Mozilla directly contacted Microsoft. Within a few days both wildcard certificates were revoked. Future instances of Dynamics 365 will get an individual certificate with an individual private key.

We asked Microsoft whether this bug would also have affected the production instances. They told us that it wouldn't have been possible, as there is no remote desktop access to these instances. It is however possible to install custom software modules there, but Microsoft informed us that they also can't be used to extract the private key, as they don't run with sufficient permissions.

But even if one can't extract the private key this still might be a security problem. An attacker could've forward a customer from one instance to another, as the certificate is valid for all instances. Therefore he could've potentially get someone to enter internal company data into the wrong instance of Dynamics 365.



Aktuell auf der Startseite von Golem.de
E-Scooter
Voi wird wegen angeblich unbegrenzter Fahrten abgemahnt

Mit einer Tages- oder Monatskarte des E-Scooter-Anbieters Voi sollen Nutzer so viel fahren können, wie sie wollen - können sie aber nicht.

E-Scooter: Voi wird wegen angeblich unbegrenzter Fahrten abgemahnt
Artikel
  1. Vidme: Webseiten blenden ungewollt Pornos ein
    Vidme
    Webseiten blenden ungewollt Pornos ein

    Eine Pornowebseite hat die verwaiste Domain eines Videohosters gekauft. Auf bekannten Nachrichtenseiten wurden daraufhin Hardcore-Pornos angezeigt.

  2. Intel, Playdate, Elektroautos: Elektro boomt, Verbrenner verlieren
    Intel, Playdate, Elektroautos
    Elektro boomt, Verbrenner verlieren

    Sonst noch was? Was am 23. Juli 2021 neben den großen Meldungen sonst noch passiert ist, in aller Kürze.

  3. Datenbank: Facebook braucht schon Jahre für MySQL-Update
    Datenbank
    Facebook braucht schon Jahre für MySQL-Update

    Das Update von MySQL 5.6 auf das aktuelle 8.0 laufe bei Facebook wegen vieler Probleme schon seit "einigen Jahren" und ist noch nicht fertig.


Du willst dich mit Golem.de beruflich verändern oder weiterbilden?
Zum Stellenmarkt
Zur Akademie
Zum Coaching
  • Schnäppchen, Rabatte und Top-Angebote
    Die besten Deals des Tages
    Schnäppchen • 30% Rabatt auf Amazon Warehouse • Asus TUF Gaming 27" FHD 280Hz 306,22€ • Samsung 970 Evo Plus 1TB 136,99€ • Gratis-Spiele im Epic Games Store • Alternate (u. a. be quiet Pure Wings 2 Gehäuselüfter 7,49€) • Philips 75" + Philips On-Ear-Kopfhörer 899€ • -15% auf TVs bei Ebay [Werbung]
    •  /