CVE CyberSecurity Database News

CVE-2024-21394 - Inside the Dynamics 365 Field Service Spoofing Vulnerability

Poster -

On February 2024, Microsoft patched a high-impact vulnerability dubbed CVE-2024-21394 affecting Dynamics 365 Field Service. This security hole lets attackers spoof user identities, tricking the system into thinking malicious commands come from trusted sources. Here’s a deep dive into this flaw, practical proof-of-concept, and advice for staying secure.

What Is CVE-2024-21394?

CVE-2024-21394 is a spoofing vulnerability discovered in Microsoft Dynamics 365 Field Service (on-premises). It allows attackers to send specially crafted requests that appear as if they originated from legitimate users. Successful exploitation can let criminals perform sensitive actions under false identities—without needing direct access to victim accounts.

Microsoft's official advisory:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21394

Who Is Affected?

This bug hits organizations using Microsoft Dynamics 365 Field Service with web interfaces exposed to user input—especially when internal users have broad privileges.

How Does Spoofing Work Here?

At its core, CVE-2024-21394 is about trust. The web API accepts input that isn’t properly verified. A threat actor can insert or modify fields to impersonate another user. For example, if the application uses request headers or payload fields to identify users, but doesn’t securely check those users’ authenticity, attackers can exploit that gap.

Imagine a POST request that creates work orders. The frontend might send something like

POST /api/workorders HTTP/1.1
Host: d365.company.com
Authorization: Bearer <attacker-token>
Content-Type: application/json

{
  "title": "System Maintenance",
  "assignedTo": "admin@company.com",
  "priority": "High"
}

If the backend accepts the assignedTo field directly, without confirming the requesting user's identity or role, an attacker can create jobs or changes as if they are the admin.

Real-World Exploit Scenario

Step 1: Attacker gains access to any valid account (even a low-privileged one).
Step 2: They craft a request to assign tasks or permissions to a privileged user or themselves, using spoofed fields.

Proof-of-Concept Request

POST /api/users/update-permissions HTTP/1.1
Host: d365.company.com
Authorization: Bearer <attacker-token>
Content-Type: application/json

{
  "userId": "admin_guid",
  "role": "System Administrator"
}

If backend code does not cross-check the userId with the actual authenticated sender, this will promote attacker’s privileges or make critical changes “as admin.”

Why Does This Happen?

Developers sometimes trust data from client-side code—assuming input like identity fields, emails, or roles are honest. In secure systems, the backend should ALWAYS validate who a user is, based on secure authentication tokens/session, not data from the client.

Vulnerable .NET (pseudo) code

// WRONG way: trusting user input from request body
public IActionResult UpdatePermissions([FromBody] UserRoleUpdate model) {
    var user = db.Users.Find(model.UserId);
    user.Role = model.Role;
    db.SaveChanges();
    return Ok();
}

Secure (corrected) code

public IActionResult UpdatePermissions([FromBody] UserRoleUpdate model) {
    var currentUser = HttpContext.User.Identity.Name;
    if(!UserIsAdmin(currentUser)) {
        return Unauthorized();
    }
    var userToUpdate = db.Users.Find(model.UserId);
    userToUpdate.Role = model.Role;
    db.SaveChanges();
    return Ok();
}

Impersonation: Submit fraudulent work, change settings, or disrupt service records.

This makes CVE-2024-21394 fertile ground for both internal and external attackers (if they gain an account).

Update Dynamics 365 Field Service with June 2024 patches.

Official Update Information
- Ensure that backend controllers check actual user identity from secure authentication/session—not just user-supplied data.

More Reading

- Microsoft Security Response Center: CVE-2024-21394
- Microsoft Docs: Field Service release notes
- OWASP Cheat Sheet: Authorization

Conclusion

CVE-2024-21394 is a prime lesson that API endpoints must NEVER trust user-provided identity data. Always authorize based on the authenticated session/token—not what’s claimed in the request. If you run Dynamics 365 Field Service, update today.

Stay safe!
*Patch up, audit logs, and don’t trust user input—even if the user is YOU.*

Timeline

Published on: 02/13/2024 18:15:57 UTC
Last modified on: 02/23/2024 17:40:46 UTC