The ProxyToken vulnerability
A recent revelation about a now-patched security vulnerability in Microsoft Exchange Server has popped in the security news headlines. The flaw named “ProxyToken” (tracked as CVE-2021-33766) was reported via the Zero-Day Initiative (ZDI) program in March this year, and has a CVSS rating of 7.3.
According to the details that are available, unauthenticated attackers may alter server settings using this Microsoft Exchange Server security vulnerability, in this way gaining access to Personally Identifiable Information (PII).
A statement published by ZDI on Monday, the now-patched flaw, if exploited, allows for manipulation of mailbox settings of arbitrary users.
To illustrate the effect of a ProxyToken abuse, researchers explain that all emails that are addressed to the target and the account may be copied and redirected to an attacker-controlled account.
A fix for the reported vulnerability was provided by Microsoft in its Path Tuesday updates for July this year.
As per the revelations, the root of this security weakness stems from a feature called Delegated Authentication, which refers to a system that directs authentication requests to the back-end when a SecurityToken cookie is detected on the Outlook web access client.
However, the feature is only loaded if Exchange is specifically configured to use it. Therefore, in cases where Exchange has not been configured to use the “DelegatedAuthModule” and have the back-end carry out the checks, the module isn’t loaded by default which ends up leading to a bypass as the back-end fails to authenticate incoming requests based on the SecurityToken cookie.
Simon Zuckerbraun, a researcher at ZDI, explains that due to this flaw, requests may sail through without being subject to authentication on either the front or back end.
In addition to the disclosure of other Exchange Server vulnerabilities, including ProxyLogon and ProxyShell, which have been exploited by malicious actors to compromise unpatched servers, this disclosure raises concern because it leaves room for threats like LockFile, a file-encrypting ransomware, to be installed and run on any vulnerable machine that connects to an unpatched Exchange Server.
The first known instance of an exploit attempt using ProxyToken was reported on August 10, meaning that it is highly necessarily that users install Microsoft’s security patches addressing this vulnerability immediately.