Microsoft mitigates Power Platform Custom Code information disclosure vulnerability

On 30 March 2023, Tenable informed Microsoft under Coordinated Vulnerability Disclosure (CVD) of a security issue concerning Power Platform Custom Connectors using Custom Code. This feature allows customers to write code for custom connectors. This issue has been fully addressed for all customers and no customer remediation action is required.

The vulnerability could lead to unauthorized access to Custom Code functions used for Power Platform custom connectors. The potential impact could be unintended information disclosure if secrets or other sensitive information were embedded in the Custom Code function.  

Our investigation into the report identified anomalous access only by the security researcher that reported the incident, and no other actors. All impacted customers have been notified of this anomalous access by the researcher through the Microsoft 365 Admin Center (MC665159).

Microsoft issued an initial fix on 7 June 2023 to mitigate this issue for a majority of customers. Investigation into the subsequent report from Tenable on 10 July 2023 revealed that a very small subset of Custom Code in a soft deleted state were still impacted. This soft deleted state exists to enable quick recovery in case of accidental deletion of custom connectors as a resiliency mechanism. Microsoft engineering took steps to ensure and validate complete mitigation for any potentially remaining customers using Custom Code functions. This work was completed on 2 August 2023.  

As part of preparing security fixes, we follow an extensive process involving thorough investigation, update development, and compatibility testing. Ultimately, developing a security update is a delicate balance between speed and safety of applying the fix and quality of the fix. Moving too quickly could result in more customer disruption (in terms of availability) than the risk customers bear from an embargoed security vulnerability.  The purpose of an embargo period is to provide time for a quality fix.  Not all fixes are equal.  Some can be completed and safely applied very quickly, others can take longer.  In order to protect our customers from an exploit of an embargoed security vulnerability, we also start to monitor any reported security vulnerability of active exploitation and move swiftly if we see any active exploit. As both a service provider and a security company, Microsoft appreciates being part of an ecosystem of organizations focused on protecting customers as the highest priority over all other goals.

Microsoft also appreciates the security community’s research and disclosure of vulnerabilities. Responsible research and mitigation are critical for safeguarding our customers and this comes with a shared responsibility to be factual, understand processes and work together. Any deviation from this process puts customers and our communities at undue security risk. As always, Microsoft’s top priority is to protect and be transparent with our customers and we remain steadfast in our mission.

• How to implement authentication in Custom Connecters

Q: How do I know if I was affected by this unauthorized information disclosure?

A: Microsoft notified affected customers about this issue via Microsoft 365 Admin Center (MC665159) starting on 4 August 2023. If you did not receive this notification, then no action is required.

Q: How do I know if a notification was sent to my organization?

A: We sent Microsoft 365 Admin Center notifications to affected customers using a Data Privacy tag which means only users with a global administrator role or a Message center privacy reader role can view the notification. These roles are appointed by your organization. You can learn more about these roles and how to assign them here.