Recent reports have highlighted three critical security vulnerabilities within the Microsoft Dynamics 365 and Power Apps Web API. These exploits, which could lead to unauthorized data exposure, have been addressed as of May 2024, following detection by Stratus Security, a cybersecurity firm based in Melbourne.
The vulnerabilities identified reflect significant concerns for organizations handling sensitive information. Two of these flaws pertain to the OData Web API Filter in Power Platform, while the third is associated with the FetchXML API. The absence of robust access controls in the OData API Filter allows attackers to gain access to contact information, including essential details such as names, phone numbers, and financial data.
A malicious actor could potentially exploit this weakness by leveraging a technique known as boolean-based searching. This method enables them to iteratively guess each character in a hashed password until the correct sequence is discovered. As articulated by Stratus Security, the attacker might initiate queries to determine if the hash begins with a specific character and subsequently proceed to guess all characters until they obtain the full hash value.
The second vulnerability results from using the orderby clause to manipulate data access from specific database columns, such as the primary email address. This tactic allows attackers to compromise additional sensitive information that might ordinarily be protected by existing controls.
The FetchXML API presents an additional risk when exploited alongside the contacts table, permitting attackers to reference restricted columns through orderby queries. An attacker can craft these queries freely, without being tied to the conventional descending order, thus enhancing their capacity for exploitation.
Utilizing these vulnerabilities could enable an attacker to compile lists of password hashes and email addresses, which they could subsequently crack for illicit purposes or sell on illicit markets. This incident emphasizes the need for stringent cybersecurity measures, particularly for large enterprises like Microsoft that are custodians of vast amounts of sensitive data.
The vulnerabilities discovered within the Dynamics 365 and Power Apps API serve as a potent reminder of the necessity for continuous vigilance in cybersecurity. As businesses increasingly rely on interconnected technologies, the potential for exploitation grows commensurately. This incident underlines the relevancy of the MITRE ATT&CK framework, particularly tactics related to initial access and privilege escalation, providing crucial insights into the potential methods employed in these attacks.
