ProxyToken Flaw allows Attackers to Reconfigure Mailboxes
Le Xuan Tuyen, the researcher at the Information Security Center of Vietnam Posts and Telecommunications Group (VNPT-ISC), discovered a vulnerability involved in impacting Microsoft Exchange Server. The exploitation of the flaw will allow the attacker to alter server configurations, resulting in the disclosure of Personally Identifiable Information (PII).
The vulnerability is tracked as CVE-2021-33766 (CVSS score: 7.3) and coined as ProxyToken. It was reported by the researcher through the Zero-Day Initiative (ZDI) program in March this year.
The ZDI stated that the flaw could enable the unauthenticated attacker to conduct configuration actions on mailboxes of arbitrary users. This can be used to copy emails sent to a target and forwarded to an attacker controlled account.
The security issue resides in the Delegated Authentication feature. This refers to a process where the front-end website, the Outlook web access (OWA) client, sends authentication requests directly to the back-end after detecting the presence of a SecurityToken cookie.
Since Exchange is to be configured to make use of the feature, the back-end is required to carry out the checks. This leads to a case where the module that is responsible for handling this delegation isn’t loaded under default configuration. This culminates in a bypass due to the back-end failure to authenticate requests according to the SecurityToken cookie.
ZDI’s Simon Zuckerbraun explains that the result of this bypass is that requests can sail through without being authenticated on the front as well as the back end.
The disclosure is an addition to the Exchange Server vulnerabilities identified this year, including ProxyLogon, ProxyOracle, and ProxyShell. These have been actively exploited by attackers to take over servers, deploy infected web shells and ransomware such as LockFile.
The vulnerability has now been patched by Microsoft. According to NCC Group security researcher Rich Warren, the in-the-wild exploit attempts of ProxyToken have been seen earlier in August, and so it is advised that customers should apply the security updates from Microsoft at the earliest.