Microsoft Exchange’s New ‘ProxyToken’ Flaw Allows Attackers to Reconfigure Mailboxes

Details have emerged of a now fixed security vulnerability affecting Microsoft Exchange Server that could be used by an unauthenticated attacker to modify server configurations, leading to the disclosure of Personally Identifiable Information (PII).

The issue, tracked as CVE-2021-33766 (CVSS score: 7.3) and titled “ProxyTokenWas discovered by Le Xuan Tuyen, a researcher at the Information Security Center of the Vietnam Post and Telecommunications Group (VNPT-ISC), and reported under the Zero-Day Initiative (ZDI) program in March 2021 .

“With this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes owned by arbitrary users,” ZDI said Monday. “To illustrate the impact, this can be used to copy all emails addressed to a target and an account and forward them to an account controlled by the attacker.”

Microsoft addressed the issue as part of its Patch Tuesday updates for July 2021.

The security flaw lies in a feature called Delegated Authentication, which refers to a mechanism by which the front-end website – the Outlook Web Access (OWA) client – forwards authentication requests directly to the back-end when it detects the presence of a SecurityToken cookie. .

However, since Exchange must be specifically configured to use the feature and the back-end performs the checks, this leads to a scenario where the module handling this delegation (“DelegatedAuthModule”) is not loaded under the configuration by default, culminating in a workaround as the back-end fails to authenticate incoming requests based on the SecurityToken cookie.

“The net result is that requests can pass through, without being subject to authentication on the front or back end,” explained ZDI’s Simon Zuckerbraun.

The disclosure adds to a growing list of Exchange Server vulnerabilities that have come to light this year, including ProxyLogon, ProxyOracle, and ProxyShell, which have been actively exploited by malicious actors to take control of unpatched servers, deploy malicious web shells. and file encryption ransomware. such as LockFile.

Disturbingly, attempts to exploit in nature abusing ProxyToken have already been recorded as of August 10, according to to NCC Group security researcher Rich Warren, which makes it imperative that customers act quickly to apply Microsoft security updates.