• IT-Karriere:
  • Services:

Microsoft Dynamics 365: Wildcard Certificate with a private Key for everyone

For the cloud application "Dynamics 365" Microsoft used a single wildcard certificate for all instances. At least in a test version it was possible to extract the private key and one could've potentially attacked all other customers. Microsoft first denied that there is a problem.

Dieser Artikel ist auch auf Deutsch verfügbar.

In a cloud ERP product Microsoft used the same certificate for all customer instances for HTTPS connections. The software developer Matthias Gliwka was able to extract the private key from a so-called sandbox instance. This could've been used for a man in the middle attack on users of other instances.

With the cloud version of Dynamics 365 for operations every customer gets an instance of the software on his own server. The sandbox version is meant to be a test environment. The webinterfaces of these systems used an HTTPS wildcard certificate that was valid for *.sandbox.operations.dynamics.com. It was issued by Microsofts own certificate authority.

Remote access allows extracting the private Key

Customers can log into the sandbox server via Microsoft's Remote Desktop Protocol (RDP). As the customer has direct access to the server it is not difficult to extract the private key belonging to the certificate and download it.

The key was marked as non-exportable, however that's not really a protection. There are various tools that allow to circumvent that. Matthias Gliwka created a small custom tool to get access to the key.

With the help of the private key it's possible to perform man in the middle attacks on other users, as the certificate for all instances is identical. If an attacker is in the same network as his victim he could forward all connections to a Dynamics 365 instance to his own server. There he could run a phishing page that cannot be distinguished from the original interface.

It wasn't clear for Gliwka at that point if the same problem exists for the production instance as well, as he didn't have access to one. However the production instance also uses a wildcard certificate - valid for *.operations.dynamics.com.

Gliwka contacted Microsofts Security Response Center back in August. In a first reply he was told that they didn't believe this is a security problem, as the attacker needs administration rights on the server. It seems therefore that Microsoft initially didn't understand that the key from one instance can be used to attack other customers.

In a second mail Gliwka tried to describe the problem in more detail. That mail was never answered.

After that Gliwka directly contacted a person working for Microsoft's certificate authority. The person told him that Microsoft's security team wasn't able to find his mail. After he re-sent the mail they first still couldn't find it, but a few days later he was told that they foundit now and are "actively engaged". However after that nothing happened.

Microsoft support gives reported phone number of Marine Spill Response Corp

Gliwka now tried to contact Microsoft's support chat and asked them for a phone number of the MSRC - the abbreviation of Microsoft's Security Response Center. He got a phone number, however that belonged to a company named "Marine Spill Response Corp" - also abbreviated MSRC. This company has nothing to do with Microsoft, it is handling accidents in the oil industry.

In the end Gliwka contacted Golem.de, hoping that this would get some attention for the problem. According to the rules for certificate authorities, the so-called Baseline Requirements, certificates with a compromised private key should be revoked within 24 hours. The author of this text reported this problem to Mozilla's bug tracker and also informed a Chrome developer and a representative from Digicert.

Microsoft doesn't run its own root certificate authority, the Microsoft certificates are indirectly signed by Digicert. Therefore Digicert is indirectly responsible for the revocation.

When Mozilla contacted Microsoft things were solved quickly

That finally caused some action on Microsoft's side. Representatives from Mozilla directly contacted Microsoft. Within a few days both wildcard certificates were revoked. Future instances of Dynamics 365 will get an individual certificate with an individual private key.

We asked Microsoft whether this bug would also have affected the production instances. They told us that it wouldn't have been possible, as there is no remote desktop access to these instances. It is however possible to install custom software modules there, but Microsoft informed us that they also can't be used to extract the private key, as they don't run with sufficient permissions.

But even if one can't extract the private key this still might be a security problem. An attacker could've forward a customer from one instance to another, as the certificate is valid for all instances. Therefore he could've potentially get someone to enter internal company data into the wrong instance of Dynamics 365.

  1. (u. a. TaoTronics Active Noise Cancelling Bluetooth 5.0 Kopfhörer, tiefer Bass mit CVC...
  2. (u. a. Pick Up! Mini Vorteilsbox für 12,99€, Chupa Chups 180er-Lutscherrad + 20 Lollis gratis...
  3. (u. a. Sharkoon Drakonia II für 29,23€, Huawei Matebook D14 für 535,16€, Huawei P40 lite...
  4. (u. a. Acer Nitro 5 17,3 Zoll 1TB SSD für 973,83€, Trust Gaming GXT 705R Gaming-Chair für...

Folgen Sie uns

LG Gram 14 (14Z90N) im Test

Das LG Gram 14 ist weniger als 1 kg leicht und kann trotzdem durch lange Akkulaufzeit überzeugen. Das Deutschlanddebüt des Geräts ist gelungen.

LG Gram 14 (14Z90N) im Test Video aufrufen
Unix: Ein Betriebssystem in 8 KByte
Ein Betriebssystem in 8 KByte

Zwei junge Programmierer entwarfen nahezu im Alleingang ein Betriebssystem und die Sprache C. Zum 50. Jubiläum von Unix werfen wir einen Blick zurück auf die Anfangstage.
Von Martin Wolf

    IT-Fachkräftemangel: Es müssen nicht immer Informatiker sein
    Es müssen nicht immer Informatiker sein

    Die Corona-Pandemie scheint der Digitalisierung tatsächlich einen Schub zu geben. Aber woher sollen die dafür nötigen ITler kommen?
    Ein Interview von Peter Ilg

    1. Headhunter "Wegen der Krise verlassen mehr IT-Profis ihre Komfortzone"
    2. IT-Ausbildungsberufe Endlich "supermodern"
    3. Remote Recruiting Personal finden aus der Ferne

    Schule: Hard- und Software allein macht keinen digitalen Unterricht
    Hard- und Software allein macht keinen digitalen Unterricht

    WLAN in allen Klassenzimmern reicht nicht, der ganze Unterricht an Schulen muss sich ändern. An den Problemen dabei sind nicht in erster Linie die Lehrkräfte schuld.
    Ein IMHO von Gerd Mischler

    1. Kipping Linken-Chefin fordert Schul-Laptops mit SIM für alle Schüler
    2. Datenschutz Unberechtigte Accounts in Schul-Cloud
    3. Homeschooling-Report Wie Schulen mit der Coronakrise klarkommen

      •  /