Microsoft Dynamics 365: Wildcard Certificate with a private Key for everyone

For the cloud application "Dynamics 365" Microsoft used a single wildcard certificate for all instances. At least in a test version it was possible to extract the private key and one could've potentially attacked all other customers. Microsoft first denied that there is a problem.

Dieser Artikel ist auch auf Deutsch verfügbar.

In a cloud ERP product Microsoft used the same certificate for all customer instances for HTTPS connections. The software developer Matthias Gliwka was able to extract the private key from a so-called sandbox instance. This could've been used for a man in the middle attack on users of other instances.

With the cloud version of Dynamics 365 for operations every customer gets an instance of the software on his own server. The sandbox version is meant to be a test environment. The webinterfaces of these systems used an HTTPS wildcard certificate that was valid for * It was issued by Microsofts own certificate authority.

Remote access allows extracting the private Key

Customers can log into the sandbox server via Microsoft's Remote Desktop Protocol (RDP). As the customer has direct access to the server it is not difficult to extract the private key belonging to the certificate and download it.

The key was marked as non-exportable, however that's not really a protection. There are various tools that allow to circumvent that. Matthias Gliwka created a small custom tool to get access to the key.

With the help of the private key it's possible to perform man in the middle attacks on other users, as the certificate for all instances is identical. If an attacker is in the same network as his victim he could forward all connections to a Dynamics 365 instance to his own server. There he could run a phishing page that cannot be distinguished from the original interface.

It wasn't clear for Gliwka at that point if the same problem exists for the production instance as well, as he didn't have access to one. However the production instance also uses a wildcard certificate - valid for *

Gliwka contacted Microsofts Security Response Center back in August. In a first reply he was told that they didn't believe this is a security problem, as the attacker needs administration rights on the server. It seems therefore that Microsoft initially didn't understand that the key from one instance can be used to attack other customers.

In a second mail Gliwka tried to describe the problem in more detail. That mail was never answered.

After that Gliwka directly contacted a person working for Microsoft's certificate authority. The person told him that Microsoft's security team wasn't able to find his mail. After he re-sent the mail they first still couldn't find it, but a few days later he was told that they foundit now and are "actively engaged". However after that nothing happened.

Microsoft support gives reported phone number of Marine Spill Response Corp

Gliwka now tried to contact Microsoft's support chat and asked them for a phone number of the MSRC - the abbreviation of Microsoft's Security Response Center. He got a phone number, however that belonged to a company named "Marine Spill Response Corp" - also abbreviated MSRC. This company has nothing to do with Microsoft, it is handling accidents in the oil industry.

In the end Gliwka contacted, hoping that this would get some attention for the problem. According to the rules for certificate authorities, the so-called Baseline Requirements, certificates with a compromised private key should be revoked within 24 hours. The author of this text reported this problem to Mozilla's bug tracker and also informed a Chrome developer and a representative from Digicert.

Microsoft doesn't run its own root certificate authority, the Microsoft certificates are indirectly signed by Digicert. Therefore Digicert is indirectly responsible for the revocation.

When Mozilla contacted Microsoft things were solved quickly

That finally caused some action on Microsoft's side. Representatives from Mozilla directly contacted Microsoft. Within a few days both wildcard certificates were revoked. Future instances of Dynamics 365 will get an individual certificate with an individual private key.

We asked Microsoft whether this bug would also have affected the production instances. They told us that it wouldn't have been possible, as there is no remote desktop access to these instances. It is however possible to install custom software modules there, but Microsoft informed us that they also can't be used to extract the private key, as they don't run with sufficient permissions.

But even if one can't extract the private key this still might be a security problem. An attacker could've forward a customer from one instance to another, as the certificate is valid for all instances. Therefore he could've potentially get someone to enter internal company data into the wrong instance of Dynamics 365.

Aktuell auf der Startseite von
ChatGPT erfindet Gerichtsakten

Ein Anwalt wollte sich von ChatGPT bei der Recherche unterstützen lassen - das Ergebnis ist eine Blamage.

Halluzination: ChatGPT erfindet Gerichtsakten
  1. Forschung: KI findet Antibiotikum gegen multirestistentes Bakterium
    KI findet Antibiotikum gegen multirestistentes Bakterium

    Forscher zeigen, dass die Hoffnungen in KI bei der Entwicklung von Medikamenten berechtigt sind. Ihre Entwicklung soll deutlich schneller werden.

  2. Mikromechanik: Zotac bringt ersten PC mit fast lautlosem MEMS-Lüfter
    Zotac bringt ersten PC mit fast lautlosem MEMS-Lüfter

    Dank Mikromechanik soll Frores Airjet kleiner und leiser sein als Lüfter. Der erste PC damit wird aber recht teuer.

  3. Blue Byte: Im Bann der ersten Siedler
    Blue Byte
    Im Bann der ersten Siedler

    Vor 30 Jahren wuselten die ersten Siedler über den Bildschirm. hat den Aufbauspiel-Klassiker von Blue Byte neu ausprobiert.
    Von Andreas Altenheimer

Du willst dich mit beruflich verändern oder weiterbilden?
Zum Stellenmarkt
Zur Akademie
Zum Coaching
  • Schnäppchen, Rabatte und Top-Angebote
    Die besten Deals des Tages
    • Daily Deals • Microsoft Xbox Wireless Controller 40,70€ • Lexar Play 1 TB 99,60€ • DAMN!-Deals mit AMD-Bundle-Aktion • Crucial P5 Plus 1 TB 72€ • MSI RX 7600 299€ • Inno3D RTX 4070 679€ • MindStar: ASRock RX 6800 XT Phantom OC 579€, PowerColor RX 6800 Fighter 489€ • Logitech bis -46% [Werbung]
    •  /