ltechnologygroup.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.
Another day, another credential found wandering without a leash: Microsoft accidentally left a Dynamics 365 TLS certificate and private key where they could leak, and according to the discoverer, took 100 days to fix the bungle.
Matthias Gliwka, a Stuttgart-based software developer, discovered the slip while working with the cloud version of Redmond’s ERP system.
Writing at Medium, Gliwka said the TLS certificate was exposed in the Dynamics 365 sandbox environment, designed for user acceptance testing.
Unlike the development and production servers, the sandbox gives admins RDP access, and “that’s where the fun begins”.
Access from any sandbox environment yields “ a valid TLS certificate for the common name
*.sandbox.operations.dynamics.com and the corresponding private key — by the courtesy of Microsoft IT SSL SHA2 CA!”.
With the certificate (which can be exported with fairly basic tools) and the private key, Gliwka said that any man-in-the-middle can see user communications in the clear, and can modify that content without detection.
@msftsecresponse Reported a leaked TLS private key for a cloud product >45 days ago – still no response. Can you take a look? Case #40397
— Matthias Gliwka (@cerebuild) October 4, 2017
Gliwka detailed extensive communications with Microsoft to explain the issue, and finding his efforts to get the problem fixed, he contacted German tech freelancer Hanno Böck to get coverage.
Böck tried filing a bug ticket with Mozilla’s bug tracker (since browsers track which certificates are trustworthy), and that got Microsoft moving. Gliwka wrote that the hole was plugged on 5 December – quite some time after his original notification to Microsoft on 17 August. ®
At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.
Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group, https://www.ltechnologygroup.com.