Oops! Microsoft Dynamics GP's huge security hole (update: NOT)

[As you were. It appears the 'revelation' was wrong. Sorry for the fire drill. Updates at end of post.] 

If you're relying on the password encryption in Microsoft Dynamics GP -- formerly Great Plains -- to meet your PCI requirements, stop what you're doing and listen up. It's been revealed that its encryption algorithm is about as simple as it can be: a substitution cypher. Let's investigate, in today's The Long View...

We have Christopher Kois to thank for this revelation:

After trying a couple different combinations of test data, it became very obvious that changing only one character in the test data appeared to only alter 2 characters of the encrypted data. ... Yep, it’s basically your run-of-the-mill Substitution cipher.


Microsoft [uses the cypher] for their GP system password. ... If you create a base user in GP, that user can log into the SQL server and run a select statement on the table containing the “encrypted” GP System password.

Yikes. If true, that's a ridiculous security hole (hoary old clichés about driving trucks spring to mind). What is this: amateur hour?

PCI-DSS requirement #3 requires organizations who accept credit cards to 'Protect stored cardholder data'. Many organizations check this off the list by relying on databases that can't be accessed without a master password. 

Unfortunately, the password in Microsoft Dynamics GP isn't stored securely, according to Kois. So an attacker could with ease bring down the whole house of cards. [Pun intended, sorry.]

Update May 21, 1.40pm EDT: on the other hand, Mark Polino, a Microsoft MVP for the product, doubts that Kois knows what he's talking about:

On some older versions it was possible to chose to allow a user to access SQL with their GP login. This is not possible on any of the supported versions. ... Relying on the System password alone for security has never been a best practice.

Update May 22, 5.15am EDT: Kois has changed his position. While he still maintains the master password cypher is very weak, he believes he misunderstood the relevance of it:

By default, GP gives the user access to the DYNAMICS database but the user CANNOT login to the SQL server using SQL Enterprise Manager. ... This was a BIG oversight on my part and I apologize for this. I really should have tested this out more before posting that statement.


This master password is just a secondary password that is OPTIONAL. ... If you have this password set, the user attempting to access the Security Roles/User Forms will need to enter it. This is not a very secure way to store this password, but it is not the primary form of authentication to GP.
Action required: If you're relying on the security of Microsoft Dynamics GP to attest to PCI compliance, it's time to review the situation. Now that this flaw is common knowledge, your private cardholder data are probably at significant risk.

Hat tip: /. 

  Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email: TLV@richij.com

You can also read Richi's full profile and disclosure of his industry affiliations.

Richi Jennings, blogger at large

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon