Microsoft leaks TLS private key for cloud ERP product

Inability to get a response upon reporting the vulnerability without heroic measures is more disturbing to me than the vulnerability. Vulnerabilities _will_ happen (even if this one is particularly... basic), but if the company isn&#x27;t paying attention to responsible private disclosures, that&#x27;s even more disastrous.<p>MS&#x27;s eventual changing of their key practices suggests that they do agree this was a vulnerability, so discussions of how bad this vulnerability is seem irrelevant to me. The disturbing thing is not about how bad the vulnerability is, but about inability, as far as we can tell, to get MS to even analyze and evaluate the vulnerabilty without heroic measures including journalists threatening exposure.

For those, like me, who were mightily confused by the timeline posted at the end — he switches to euro style dates in September and October but used US style dates in August and December.

The Golem.de text that is mentioned in the article is now also available in an English translation: <a href="https:&#x2F;&#x2F;www.golem.de&#x2F;news&#x2F;microsoft-dynamics-365-wildcard-certificate-with-a-private-key-for-everyone-1712-131544.html" rel="nofollow">https:&#x2F;&#x2F;www.golem.de&#x2F;news&#x2F;microsoft-dynamics-365-wildcard-ce...</a>

If we have an global scale attacker which can sniff the internet traffic to specific hosts, or an attacker capable of BGP hijacking, this attacker would be able to attack all companies who use Microsoft Dynamics (industrial espionage?). He would just need to sniff the credentials and log in.<p>After the Snowden leaks we all know that this is possible.

&gt; “[c]ontrols exist in production environments that render the described technique ineffective [..]&quot;<p>That&#x27;s a pretty naive look at penetration testing. Look, we have controls, so that CAN&#x27;T happen. Right.

Hanno points out two big problems here that are not so obvious.<p>Firstly there is supposed to be a Problem Reporting mechanism for the certificates themselves. If you can&#x27;t get the application developer to pull their finger out but you have acquired a Private Key you shouldn&#x27;t have, you should be able to file such a report and get satisfaction in hours not weeks. Sophisticated users can prove they have the key without revealing it, but that&#x27;s polite rather than obligatory. This mechanism either wasn&#x27;t apparent to the problem&#x27;s discoverer or didn&#x27;t work. Neither is OK.<p>Secondly, even without being able to get a copy of the shared private key, sharing is a risk. If we confuse a remote client into talking to our service rather than the one they expected, they&#x27;ll never know the difference because the keys check out fine.<p>The latter is why wildcards, while convenient, are not always a wise choice for security.

Darn, I saw this, it&#x27;s also a bit similar on the onmicrosoft.com domain for 365 clients.<p>Interesting, Interesting.

Does the cloud ERP product use only the private key for rdp authentication?

This is rather common security hole on different app and web hosting services that provide &quot;We will spare you the pain of getting ssl cert by yourself, and get you one for free,&quot; but which instead give you their wildcars cert.<p>Wildcard certs in a shared VPS-like environment is a red flag.