Three previously patched security flaws in the Dynamics 365 and Energy Apps Internet API have come to light, potentially resulting in sensitive information exposure?
The issues identified by Melbourne-based cybersecurity firm Stratus Safety have been resolved as of May 2024. Two of the three shortcomings lie within Energy Platform’s capabilities, whereas the third vulnerability stems from the organization itself.
The fundamental cause of this primary vulnerability lies in the absence of effective entry management on the OData Internet API Filter, which inadvertently allows access to sensitive data including full names, phone numbers, addresses, financial information, and password hashes.
A malicious actor could potentially exploit this vulnerability by conducting a boolean search to retrieve the entire hash, iteratively trying different characters until the correct value is found?
“Notably, the process commences by evaluating `startswith(adx_identity_passwordhash, ‘a’)`, followed by `startswith(, ‘aa’)`, and then iteratively tests `startswith(adx_identity_passwordhash, ‘ab’)` until it yields results starting with ‘ab’, as claimed by Stratus Safety.”
We continue running this course until the question yields results that start with ‘ab’. When the quest for value is finally over and no further developments remain, we are left with a conclusive outcome.
One of the vulnerabilities stems from exploiting the `orderby` clause within the same API to retrieve data from a critical database table, specifically referencing the primary email address associated with each contact.
Stratus Safety’s investigation further revealed that the FetchXML API could be leveraged in tandem with the contacts entity to access sensitive columns by exploiting an ‘orderby’ query.
When leveraging the FetchXML API, a malicious actor can exploit its functionality by crafting an orderby query that targets any column, thereby effectively circumventing existing data access controls. “While departing from previous exploitations, this approach eschews the need for descending order, thereby introducing a degree of adaptability to the attack.”
A skilled attacker exploiting these vulnerabilities could potentially compile a comprehensive list of compromised password hashes and corresponding email addresses, subsequently cracking the passwords or distributing the sensitive information.
“The discovery of vulnerabilities in Dynamics 365 and Energy Apps API serves as a stark reminder that steadfast cybersecurity measures are crucial, especially for large corporations like Microsoft that store vast amounts of sensitive data.”
