It took Microsoft more than 100 days to address a problem related to the use of the same digital certificate for all installations of its Dynamics 365 enterprise resource planning (ERP) product, but the company said the issue posed little risk.
Dynamics 365, a product hosted on Microsoft’s Azure cloud platform, has three main components: a production system, a development system, and a user acceptance testing system. The user acceptance system, also known as a sandbox, is a test environment that mimics the production system and allows remote access via RDP.
Developer Matthias Gliwka accessed the sandbox via RDP and noticed in the application’s Certificate Manager that it included a wildcard TLS certificate for the *.sandbox.operations.dynamics.com domain, along with its private key. The certificate, shared across all sandbox environments, had been issued by Microsoft’s own certificate authority (CA).
Since the certificate – for which the expert easily extracted the private key – had been used to encrypt traffic between users and the server, a man-in-the-middle (MitM) attacker in possession of the key could have intercepted data without raising any suspicion.
“The users of this user acceptance (sandbox) systems are high-value targets,” Gliwka explained in a blog post. “They are usually in key positions at the respective organization and have access to valuable information. The sandbox system itself often also contains sensitive information to make the tests more realistic. There is even a feature to copy the production database into the sandbox environment to enable this use case.”
Further analysis showed that all production systems used a wildcard certificate for the *.operations.dynamics.com domain. However, RDP access to production environments is not possible, making it more difficult to extract the certificate’s private key and launch an attack. Nevertheless, Gliwka believes this could have been achieved if the attacker had managed to find a code execution vulnerability on the server.
Microsoft has decided to update all sandbox and production environments to use unique certificates, but the company has described it as a “defense-in-depth” measure, claiming that “controls exist in production environments that render the described technique ineffective.”
While the issue may not have posed a big risk to Dynamics 365 users, Gliwka claims it took a lot of time to get Microsoft to take action. The developer reported his findings to Microsoft in mid-August, but the exposed wildcard certificates were only revoked in early December after German researcher and journalist Hanno Böck got involved and a ticket was opened on Mozilla’s bug tracker. Certificates whose private key has been compromised should normally be revoked within 24 hours.
Gliwka claims that during communications with Microsoft support, he was provided a phone number for the Marine Spill Response Corporation (MSRC), an oil spill and emergency response organization in the U.S., instead of contact information for the Microsoft Security Response Center (MSRC).