Connect with us

Hi, what are you looking for?



Microsoft Says ERP Product Private Key Leak Posed Little Risk

It took Microsoft more than 100 days to address a problem related to the use of the same digital certificate for all installations of its Dynamics 365 enterprise resource planning (ERP) product, but the company said the issue posed little risk.

It took Microsoft more than 100 days to address a problem related to the use of the same digital certificate for all installations of its Dynamics 365 enterprise resource planning (ERP) product, but the company said the issue posed little risk.

Dynamics 365, a product hosted on Microsoft’s Azure cloud platform, has three main components: a production system, a development system, and a user acceptance testing system. The user acceptance system, also known as a sandbox, is a test environment that mimics the production system and allows remote access via RDP.

Developer Matthias Gliwka accessed the sandbox via RDP and noticed in the application’s Certificate Manager that it included a wildcard TLS certificate for the * domain, along with its private key. The certificate, shared across all sandbox environments, had been issued by Microsoft’s own certificate authority (CA).

Since the certificate – for which the expert easily extracted the private key – had been used to encrypt traffic between users and the server, a man-in-the-middle (MitM) attacker in possession of the key could have intercepted data without raising any suspicion.

“The users of this user acceptance (sandbox) systems are high-value targets,” Gliwka explained in a blog post. “They are usually in key positions at the respective organization and have access to valuable information. The sandbox system itself often also contains sensitive information to make the tests more realistic. There is even a feature to copy the production database into the sandbox environment to enable this use case.”

Further analysis showed that all production systems used a wildcard certificate for the * domain. However, RDP access to production environments is not possible, making it more difficult to extract the certificate’s private key and launch an attack. Nevertheless, Gliwka believes this could have been achieved if the attacker had managed to find a code execution vulnerability on the server.

Microsoft told SecurityWeek that it has decided to update all sandbox and production environments to use unique certificates, but the company has described it as a “defense-in-depth” measure, claiming that “controls exist in production environments that render the described technique ineffective.”

Advertisement. Scroll to continue reading.

While the issue may not have posed a big risk to Dynamics 365 users, Gliwka claims it took a lot of time to get Microsoft to take action. The developer reported his findings to Microsoft in mid-August, but the exposed wildcard certificates were only revoked in early December after German researcher and journalist Hanno Böck got involved and a ticket was opened on Mozilla’s bug tracker. Certificates whose private key has been compromised should normally be revoked within 24 hours.

Gliwka claims that during communications with Microsoft support, he was provided a phone number for the Marine Spill Response Corporation (MSRC), an oil spill and emergency response organization in the U.S., instead of contact information for the Microsoft Security Response Center (MSRC).

Related: Savitech Audio Drivers Caught Installing Root Certificate

Related: Symantec Tricked Into Revoking Certificates Using Fake Keys

Related: Let’s Encrypt Wildcard Certificates a ‘Boon’ for Cybercriminals

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...