Full Report
Details have emerged about three now-patched security vulnerabilities in Dynamics 365 and Power Apps Web API that could result in data exposure. The flaws, discovered by Melbourne-based cybersecurity company Stratus Security, have been addressed as of May 2024. Two of the three shortcomings reside in Power Platform's OData Web API Filter, while the third vulnerability is rooted in the FetchXML
Analysis Summary
As a vulnerability research specialist, here is the actionable summary of the reported security flaws in Microsoft Dynamics 365 and Power Apps Web API.
# Vulnerability: Data Exposure Flaws in Microsoft Dynamics 365 & Power Apps Web API
## CVE Details
The provided article discusses multiple flaws discovered by Stratus Security, but **specific CVE identifiers and corresponding CVSS scores are not mentioned** in the summary text. The fixes were deployed as of **May 2024**.
- CVE ID: Not specified in the source text.
- CVSS Score: Not specified in the source text.
- CWE: Not specified in the source text, but flaws relate to **Broken Access Control** (CWE-284) and insecure data handling/query logic.
## Affected Systems
- Products: Microsoft Dynamics 365 and Power Apps Web API.
- Versions: Unspecified, but all versions prior to the May 2024 patch release.
- Configurations: Specifically impacts components utilizing the **OData Web API Filter** and the **FetchXML API**.
## Vulnerability Description
The flaws allow unauthorized access and extraction of sensitive data, primarily residing in the `contacts` table.
1. **OData Web API Filter Flaw (Lack of Access Control):** A critical issue where inadequate access controls allowed threat actors to execute queries against the contacts table.
2. **Data Exfiltration Technique (Boolean-Based Search):** Threat actors could exploit the lack of access control to perform sequential guessing of data fields, such as `adx_identity_passwordhash`. By using `startswith()` queries iteratively, an attacker can reconstruct the complete hash value character by character until the query returns results confirming the character sequence.
3. **FetchXML API Flaw:** A related vulnerability rooted in the FetchXML API, specifically involving the use of the `orderby` clause for data extraction.
The sensitive data potentially exposed includes full names, phone numbers, addresses, financial data, and password hashes.
## Exploitation
- Status: The context implies the vulnerability was serious enough to warrant urgent patching, but does not explicitly state if it was exploited in the wild *before* the patch. Given the detailed description of the extraction technique, exploitation appears feasible.
- Complexity: **Medium to High** (Requires knowledge of OData query structures and iterative guessing for full hash extraction).
- Attack Vector: **Network** (Remote exploitation via API calls).
## Impact
- Confidentiality: **High** (Allows extraction of sensitive PII and password hashes).
- Integrity: **Low to Medium** (Primarily focuses on data reading, not modification, though a highly targeted attacker might infer data structures).
- Availability: **Low** (No indication of Denial of Service).
## Remediation
### Patches
- Microsoft released patches addressing these flaws in or around **May 2024**.
- Affected organizations should ensure their Microsoft Dynamics 365 and Power Apps environments have received all security updates released by Microsoft since May 2024.
### Workarounds
- The primary workaround for these types of API access control issues would typically involve strict **network segmentation**, **Web Application Firewall (WAF)** rule implementation to scrutinize OData/FetchXML queries, and ensuring **least privilege access** is enforced at the application layer, though comprehensive patching is the definitive solution.
## Detection
- **Indicators of Compromise (IOCs):**
* Unusually high volume of specific API query operations targeting contact/user tables.
* Repeatedly failing or systematically varying `startswith()` or `orderby` clauses in OData/FetchXML requests logged by application or API gateways.
* Ingress traffic containing complex, structured queries designed for blind data extraction.
- **Detection Methods and Tools:**
* Monitor API gateway and server logs for unusual query patterns targeting sensitive fields within the OData and FetchXML endpoints.
* Use real-time security monitoring tools capable of inspecting the parameters of API requests against baselines.
## References
- Vendor Advisories: Not explicitly linked by name, but Microsoft security updates from May 2024 related to Dynamics 365/Power Apps.
- Relevant links:
* Original discovery details: hxxps://www.stratussecurity.com/post/critical-microsoft-365-vulnerability
* Microsoft documentation describing affected APIs (for context on query structure): hxxps://learn.microsoft.com/en-us/power-apps/developer/data-platform/webapi/query/overview
* Microsoft documentation describing affected entities (for context on data exposure): hxxps://learn.microsoft.com/en-us/power-apps/developer/data-platform/reference/entities/contact