Abo
  • IT-Karriere:

Microsoft Dynamics 365: Wildcard Certificate with a private Key for everyone

For the cloud application "Dynamics 365" Microsoft used a single wildcard certificate for all instances. At least in a test version it was possible to extract the private key and one could've potentially attacked all other customers. Microsoft first denied that there is a problem.

Dieser Artikel ist auch auf Deutsch verfügbar.

In a cloud ERP product Microsoft used the same certificate for all customer instances for HTTPS connections. The software developer Matthias Gliwka was able to extract the private key from a so-called sandbox instance. This could've been used for a man in the middle attack on users of other instances.

With the cloud version of Dynamics 365 for operations every customer gets an instance of the software on his own server. The sandbox version is meant to be a test environment. The webinterfaces of these systems used an HTTPS wildcard certificate that was valid for *.sandbox.operations.dynamics.com. It was issued by Microsofts own certificate authority.

Remote access allows extracting the private Key

Customers can log into the sandbox server via Microsoft's Remote Desktop Protocol (RDP). As the customer has direct access to the server it is not difficult to extract the private key belonging to the certificate and download it.

The key was marked as non-exportable, however that's not really a protection. There are various tools that allow to circumvent that. Matthias Gliwka created a small custom tool to get access to the key.

With the help of the private key it's possible to perform man in the middle attacks on other users, as the certificate for all instances is identical. If an attacker is in the same network as his victim he could forward all connections to a Dynamics 365 instance to his own server. There he could run a phishing page that cannot be distinguished from the original interface.

It wasn't clear for Gliwka at that point if the same problem exists for the production instance as well, as he didn't have access to one. However the production instance also uses a wildcard certificate - valid for *.operations.dynamics.com.

Gliwka contacted Microsofts Security Response Center back in August. In a first reply he was told that they didn't believe this is a security problem, as the attacker needs administration rights on the server. It seems therefore that Microsoft initially didn't understand that the key from one instance can be used to attack other customers.

In a second mail Gliwka tried to describe the problem in more detail. That mail was never answered.

After that Gliwka directly contacted a person working for Microsoft's certificate authority. The person told him that Microsoft's security team wasn't able to find his mail. After he re-sent the mail they first still couldn't find it, but a few days later he was told that they foundit now and are "actively engaged". However after that nothing happened.

Microsoft support gives reported phone number of Marine Spill Response Corp

Gliwka now tried to contact Microsoft's support chat and asked them for a phone number of the MSRC - the abbreviation of Microsoft's Security Response Center. He got a phone number, however that belonged to a company named "Marine Spill Response Corp" - also abbreviated MSRC. This company has nothing to do with Microsoft, it is handling accidents in the oil industry.

In the end Gliwka contacted Golem.de, hoping that this would get some attention for the problem. According to the rules for certificate authorities, the so-called Baseline Requirements, certificates with a compromised private key should be revoked within 24 hours. The author of this text reported this problem to Mozilla's bug tracker and also informed a Chrome developer and a representative from Digicert.

Microsoft doesn't run its own root certificate authority, the Microsoft certificates are indirectly signed by Digicert. Therefore Digicert is indirectly responsible for the revocation.

When Mozilla contacted Microsoft things were solved quickly

That finally caused some action on Microsoft's side. Representatives from Mozilla directly contacted Microsoft. Within a few days both wildcard certificates were revoked. Future instances of Dynamics 365 will get an individual certificate with an individual private key.

We asked Microsoft whether this bug would also have affected the production instances. They told us that it wouldn't have been possible, as there is no remote desktop access to these instances. It is however possible to install custom software modules there, but Microsoft informed us that they also can't be used to extract the private key, as they don't run with sufficient permissions.

But even if one can't extract the private key this still might be a security problem. An attacker could've forward a customer from one instance to another, as the certificate is valid for all instances. Therefore he could've potentially get someone to enter internal company data into the wrong instance of Dynamics 365.



Anzeige
Hardware-Angebote
  1. 204,90€
  2. mit Gutschein: NBBGRATISH10
  3. 529,00€ (zzgl. Versand)

Folgen Sie uns
       


AMD Ryzen 9 3900X und Ryzen 7 3700X - Test

Wir testen den Ryzen 9 3900X mit zwölf Kernen und den Ryzen 7 3700X mit acht Kernen. Beide passen in den Sockel AM4, nutzen DDR4-3200-Speicher und basieren auf der Zen-2-Architektur mit 7-nm-Fertigung.

AMD Ryzen 9 3900X und Ryzen 7 3700X - Test Video aufrufen
Faire IT: Die grüne Challenge
Faire IT
Die grüne Challenge

Kann man IT-Produkte nachhaltig gestalten? Drei Startups zeigen, dass es nicht so einfach ist, die grüne Maus oder das faire Smartphone auf den Markt zu bringen.
Von Christiane Schulzki-Haddouti

  1. Smartphones Samsung und Xiaomi profitieren in Europa von Huawei-Boykott
  2. Smartphones Xiaomi ist kurz davor, Apple zu überholen
  3. Niederlande Notrufnummer fällt für mehrere Stunden aus

Indiegames-Rundschau: Epische ASCII-Abenteuer und erlebnishungrige Astronauten
Indiegames-Rundschau
Epische ASCII-Abenteuer und erlebnishungrige Astronauten

In Stone Story RPG erwacht ASCII-Art zum Leben, die Astronauten in Oxygen Not Included erleben tragikomische Slapstick-Abenteuer, dazu kommen Aufbaustrategie plus Action und Sammelkartenspiele: Golem.de stellt neue Indiegames vor.
Von Rainer Sigl

  1. Indiegames-Rundschau Von Bananen und Astronauten
  2. Indiegames-Rundschau Verloren im Sonnensystem und im Mittelalter
  3. Indiegames-Rundschau Drogen, Schwerter, Roboter-Ritter

Mobile Payment: Mit QR-Code-Kooperation zum europäischen Standard
Mobile Payment
Mit QR-Code-Kooperation zum europäischen Standard

Die Mobile Wallet Collaboration will ein einheitliches QR-Format als technische Grundlage für ein vereinfachtes Handling etablieren. Die Allianz aus sechs europäischen Bezahldiensten und Alipay aus China ist eine ernstzunehmende Konkurrenz für Google, Apple, Facebook, Amazon.
Von Sabine T. Ruh


      •  /