Microsoft Dynamics 365: Wildcard Certificate with a private Key for everyone
For the cloud application "Dynamics 365" Microsoft used a single wildcard certificate for all instances. At least in a test version it was possible to extract the private key and one could've potentially attacked all other customers. Microsoft first denied that there is a problem.
Dieser Artikel ist auch auf Deutsch verfügbar.
In a cloud ERP product Microsoft used the same certificate for all customer instances for HTTPS connections. The software developer Matthias Gliwka was able to extract the private key from a so-called sandbox instance. This could've been used for a man in the middle attack on users of other instances.
With the cloud version of Dynamics 365 for operations every customer gets an instance of the software on his own server. The sandbox version is meant to be a test environment. The webinterfaces of these systems used an HTTPS wildcard certificate that was valid for *.sandbox.operations.dynamics.com. It was issued by Microsofts own certificate authority.
Remote access allows extracting the private Key
Customers can log into the sandbox server via Microsoft's Remote Desktop Protocol (RDP). As the customer has direct access to the server it is not difficult to extract the private key belonging to the certificate and download it.
The key was marked as non-exportable, however that's not really a protection. There are various tools that allow to circumvent that. Matthias Gliwka created a small custom tool to get access to the key.
With the help of the private key it's possible to perform man in the middle attacks on other users, as the certificate for all instances is identical. If an attacker is in the same network as his victim he could forward all connections to a Dynamics 365 instance to his own server. There he could run a phishing page that cannot be distinguished from the original interface.
It wasn't clear for Gliwka at that point if the same problem exists for the production instance as well, as he didn't have access to one. However the production instance also uses a wildcard certificate - valid for *.operations.dynamics.com.
Gliwka contacted Microsofts Security Response Center back in August. In a first reply he was told that they didn't believe this is a security problem, as the attacker needs administration rights on the server. It seems therefore that Microsoft initially didn't understand that the key from one instance can be used to attack other customers.
In a second mail Gliwka tried to describe the problem in more detail. That mail was never answered.
After that Gliwka directly contacted a person working for Microsoft's certificate authority. The person told him that Microsoft's security team wasn't able to find his mail. After he re-sent the mail they first still couldn't find it, but a few days later he was told that they foundit now and are "actively engaged". However after that nothing happened.
Microsoft support gives reported phone number of Marine Spill Response Corp
Gliwka now tried to contact Microsoft's support chat and asked them for a phone number of the MSRC - the abbreviation of Microsoft's Security Response Center. He got a phone number, however that belonged to a company named "Marine Spill Response Corp" - also abbreviated MSRC. This company has nothing to do with Microsoft, it is handling accidents in the oil industry.
In the end Gliwka contacted Golem.de, hoping that this would get some attention for the problem. According to the rules for certificate authorities, the so-called Baseline Requirements, certificates with a compromised private key should be revoked within 24 hours. The author of this text reported this problem to Mozilla's bug tracker and also informed a Chrome developer and a representative from Digicert.
Microsoft doesn't run its own root certificate authority, the Microsoft certificates are indirectly signed by Digicert. Therefore Digicert is indirectly responsible for the revocation.
When Mozilla contacted Microsoft things were solved quickly
That finally caused some action on Microsoft's side. Representatives from Mozilla directly contacted Microsoft. Within a few days both wildcard certificates were revoked. Future instances of Dynamics 365 will get an individual certificate with an individual private key.
We asked Microsoft whether this bug would also have affected the production instances. They told us that it wouldn't have been possible, as there is no remote desktop access to these instances. It is however possible to install custom software modules there, but Microsoft informed us that they also can't be used to extract the private key, as they don't run with sufficient permissions.
But even if one can't extract the private key this still might be a security problem. An attacker could've forward a customer from one instance to another, as the certificate is valid for all instances. Therefore he could've potentially get someone to enter internal company data into the wrong instance of Dynamics 365.