Microsoft Fixes Critical Security Flaws in Dynamics 365
Critical Security Vulnerabilities Found in Dynamics 365 and Power Apps Web API
Emerging details have revealed three critical security vulnerabilities in Microsoft’s Dynamics 365 and Power Apps Web API that could potentially expose sensitive data. Discovered by Stratus Security, a cybersecurity firm based in Melbourne, these flaws were patched in May 2024. Organizations using these platforms should be aware of these vulnerabilities to ensure their data remains secure.
Overview of the Vulnerabilities
The identified vulnerabilities primarily affect the Power Platform’s OData Web API Filter and the FetchXML API. Each vulnerability presents unique risks that could be exploited by malicious actors to gain unauthorized access to sensitive information.
Vulnerability Details
-
Lack of Access Control on OData Web API Filter
- The first vulnerability stems from inadequate access controls on the OData Web API Filter. This flaw allows unauthorized access to the contacts table, which contains sensitive data such as:
- Full names
- Phone numbers
- Addresses
- Financial data
- Password hashes
Stratus Security explains that attackers could exploit this vulnerability to perform a boolean-based search to extract complete password hashes by sequentially guessing each character.
- The first vulnerability stems from inadequate access controls on the OData Web API Filter. This flaw allows unauthorized access to the contacts table, which contains sensitive data such as:
-
Insecure Use of OrderBy Clause
- The second vulnerability involves the orderby clause in the same API. This flaw allows attackers to retrieve data from specific database columns, such as the primary email address (EMailAddress1) of contacts, potentially exposing further sensitive information.
- Exploitation of FetchXML API
- The third vulnerability relates to the FetchXML API, which can be manipulated to access restricted columns in the contacts table through crafted orderby queries. This exploitation does not require the orderby to be in descending order, giving attackers greater flexibility.
Potential Impact
If these vulnerabilities were to be exploited, attackers could compile lists of password hashes and email addresses, leading to potential password cracking or data selling. Stratus Security emphasizes the crucial need for ongoing vigilance in cybersecurity, particularly for large organizations like Microsoft that manage substantial amounts of sensitive data.
Conclusion
The discovery of these vulnerabilities in Dynamics 365 and Power Apps API serves as a vital reminder of the importance of cybersecurity practices. Organizations leveraging these platforms should conduct regular security audits and stay updated on patches to safeguard their data effectively.
For more insights on cybersecurity and related topics, feel free to explore our other articles or share your thoughts in the comments below. Follow us on Twitter and LinkedIn for the latest updates and exclusive content!