Microsoft Exchange Server Was Riddled With ‘ProxyToken’ Vulnerability

Researchers have recently shared details about a now-patched vulnerability in Microsoft Exchange Server. Dubbed as ‘ProxyToken,’ the vulnerability could let an unauthenticated adversary reconfigure Microsoft Exchange mailboxes.

Microsoft Exchange Server ‘ProxyToken’ Vulnerability

Team ZDI has shared details about a serious security flaw it discovered in Microsoft Exchange Server.

As elaborated in their post, the vulnerability identified as ‘ProxyToken’ could allow reconfiguring Microsoft Exchange mailboxes without authentication. Consequently, an adversary could exploit the flaw to gain access to personally identifiable information (PII).

Briefly, the bug resided in the Delegated Authentication feature where the front-end of the Exchange server client sends authentication requests to the back-end that utilizes SecurityToken cookie for authentication. However, the bug appears when the DelegatedAuthModule fails to load.
As described,

Code on the back end that examines and validates the SecurityToken cookie is found in the class Microsoft.Exchange.Configuration.DelegatedAuthentication.DelegatedAuthenticationModule… in a default configuration of the product, a <remove> element appears, so that the module DelegatedAuthModule will not be loaded at all for the back-end ECP site.

Thus, the back-end fails to properly validate such requests received from the front-end that already forwarded it. As a result, the requests “sail through” without authentication.

when the front end sees the SecurityToken cookie, it knows that the back end alone is responsible for authenticating this request. Meanwhile, the back end is completely unaware that it needs to authenticate some incoming requests based upon the SecurityToken cookie, since the DelegatedAuthModule is not loaded in installations that have not been configured to use the special delegated authentication feature. The net result is that requests can sail through, without being subjected to authentication on either the front or back end.

Exploiting this bug required an adversary to have an account on the same Exchange Server as that of the target. It would then

Bug Fixed With July Patch Tuesday

Upon finding this vulnerability, the researchers responsibly disclosed the bug to Microsoft.

The tech giant deemed it an important severity vulnerability (CVE-2021-33766) that received a CVSS score of 7.3. It eventually patched the bug with July Patch Tuesday updates.

So, while Microsoft has addressed the risk, users must ensure keeping their systems up-to-date with the patches. This is especially important given how quickly the threat actors exploit such bugs for large-scale attacks.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients