Microsoft fixes exposed TLS key for Dynamics 365 Finance and Operations, Enterprise (at long last)
Customers of Microsoft Dynamics 365 Finance and Operations Enterprise edition were vulnerable to "man-in-the-middle" attacks for three months before Microsoft resolved the exposure. And according to the developer who discovered it, Microsoft only deployed a fix after increasing pressure that made the issue public.
German software developer Matthias Gliwka describes himself as a "curious world traveler, hacker and software engineer." Details are hard to nail down on Gliwka, but he appears to be an independent, who maintains an infrequently updated blog. It was there, last week, where he described the 100-day journey to resolution of the Dynamics 365 cloud security issue.
Gliwka described in an August 17, 2017 email to the Microsoft Security Response Center (MSRC) (secure@microsoft.com), that he had noticed a vulnerability in the Azure-hosted D365FOE environments. As he described:
Each separate customer environment...uses the same wildcard server certificate (including the private key) for the domain *.sandbox.operations.dynamics.com, meaning the service hosted for Acme Inc. at acme.sandbox.operations.dynamics.com uses the same TLS wildcard certificate as Evil Inc. hosted at evil.sandbox.operations.dynamics.com.
Thus, one valid TLS certificate would serve them all, and Gliwka found it easy to access. And as he points out, sandbox environments are usually mirror instances of production instances (e.g., critical customer data in CRM); these used a wildcard certificate as well, for [customer].operations.dynamics.com.
The implications as Gliwka describes them:
- <... class="become-member ms-auto me-auto">
FREE Membership Required to View Full Content:
Joining MSDynamicsWorld.com gives you free, unlimited access to news, analysis, white papers, case studies, product brochures, and more. You can also receive periodic email newsletters with the latest relevant articles and content updates.
Learn more about us here