July 1, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple Microsoft Edge Chromium-based Vulnerabilities
January 6, 2025Russian Threat Actors Use Fake Hardhat npm Packages to Target Ethereum Developers – Active IOCs
January 6, 2025Multiple Microsoft Edge Chromium-based Vulnerabilities
January 6, 2025Russian Threat Actors Use Fake Hardhat npm Packages to Target Ethereum Developers – Active IOCs
January 6, 2025
Severity
High
Analysis Summary
Researchers recently uncovered three significant vulnerabilities in Microsoft Dynamics 365 and Power Apps Web API which have since been patched as of May 2024. Two of these vulnerabilities stem from weaknesses in the Power Platform's OData Web API Filter, while the third involves the FetchXML API. These flaws could potentially lead to data exposure, including sensitive user information such as full names, phone numbers, addresses, financial details, and even password hashes.
According to the researchers, the first vulnerability arises from inadequate access controls on the OData Web API Filter which permits unauthorized access to sensitive data within the contacts table. This flaw can be exploited through a boolean-based search method, enabling attackers to extract password hashes character by character. For instance, by iteratively querying strings like startswith(adx_identity_passwordhash, 'a') or startswith(adx_identity_passwordhash, 'ab'), the attacker can deduce the complete hash value.
The second issue involves the use of the order-by clause within the OData Web API, which allows attackers to extract data from specific database columns, such as primary email addresses (EMailAddress1). This vulnerability facilitates data harvesting by bypassing conventional access controls, thereby granting attackers unauthorized insight into sensitive information.
The third vulnerability concerns the FetchXML API, which allows attackers to bypass access restrictions using an order by query. Unlike the OData flaw, this method doesn't require the orderby to be in descending order making it even more versatile for exploitation. Together, these flaws pose significant risks, including the potential compilation and cracking of password hashes emphasizing the importance of robust cybersecurity measures for organizations managing large volumes of sensitive data.
Impact
- Sensitive Data Theft
- Unauthorized Access
Affected Vendors
Microsoft
Remediation
- Implement strict access controls to limit unauthorized queries on sensitive tables such as the contacts table.
- Use role-based access control (RBAC) to ensure only authorized users and applications can access sensitive data.
- Regularly audit API permissions to detect and remove excessive or outdated access rights.
- Introduce rate-limiting and monitoring for API requests to detect and block enumeration attempts.
- Deploy logic to prevent attackers from conducting sequential queries, such as randomizing query responses or returning generic error messages for invalid requests.
- Implement hashing algorithms like bcrypt or Argon2 for password hashes to increase computational complexity, making brute-force attacks impractical.
- Apply query validation and filtering to prevent unauthorized access to sensitive columns such as EMailAddress1.
- Use API gateways or middleware to inspect and block malicious queries before they reach backend systems.
- Enforce strict query validation to ensure that only authorized columns can be queried, regardless of the use of orderby.
- Apply column-level security to restrict access to sensitive data fields, such as password hashes and email addresses.
- Monitor and log API activity to detect unusual patterns that could indicate exploitation attempts.
- Conduct regular penetration testing and vulnerability assessments to uncover and address potential weaknesses.
- Update and patch API systems promptly to close any newly discovered vulnerabilities.