Dynamics 365 Sandbox Sitemap

BestsellerMagazine.com - CATEGORY Report update: TITLE

Another day, another credential found wandering without a leash: Microsoft accidentally left a Dynamics 365 TLS certificate and private key where they could leak, and according to the discoverer, took 100 days to fix the bungle.

Matthias Gliwka, a Stuttgart-based software developer, discovered the slip while working with the cloud version of Redmond's ERP system.

Writing at Medium, Gliwka said the TLS certificate was exposed in the Dynamics 365 sandbox environment, designed for user acceptance testing.

Unlike the development and production servers, the sandbox gives admins RDP access, and “that's where the fun begins”.

Access from any sandbox environment yields “ a valid TLS certificate for the common name *.sandbox.operations.dynamics.com and the corresponding private key — by the courtesy of Microsoft IT SSL SHA2 CA!”.

With the certificate (which can be exported with fairly basic tools) and the private key, Gliwka said that any man-in-the-middle can see user communications in the clear, and can modify that content without detection.

@msftsecresponse Reported a leaked TLS private key for a cloud product >45 days ago - still no response. Can you take a look? Case #40397

— Matthias Gliwka (@cerebuild) October 4, 2017

Gliwka detailed extensive communications with Microsoft to explain the issue, and after his efforts to get the problem fixed proved fruitless, he contacted German tech freelancer Hanno Böck to get coverage.

Böck tried filing a bug ticket with Mozilla's bug tracker (since browsers track which certificates are trustworthy), and that got Microsoft moving. Gliwka wrote that the hole was plugged on 5 December – quite some time after his original notification to Microsoft on 17 August. ®

Sponsored: Continuous Lifecycle London 2018 - Early Bird Tickets Now Available

BestsellerMagazine.com, Site News current daily serving News today and the latest news about politics until News lifestyle and sport.

Source : http://www.theregister.co.uk/2017/12/11/dynamics_365_sandbox_leaked_tls_certificates/

Microsoft Dynamics 365 sandbox leaked TLS certificate's private parts
Microsoft starts integrating Dynamics 365 with LinkedIn
Microsoft will launch its price war with Salesforce on November 1
Microsoft Updates Dynamics 365 for Retail Store Productivity
Microsoft's New Dynamics 365 Combines CRM, ERP In The Cloud, Enticing Channel Partners To Expand Practices
Microsoft's Office 365 Is The New Windows
[LIMITED STOCK!] Related eBay Products