Researchers have recently shared details about a now-patched vulnerability in Microsoft Exchange Server. Dubbed as ‘ProxyToken,’ the vulnerability could let an unauthenticated adversary reconfigure Microsoft Exchange mailboxes.
Microsoft Exchange Server ‘ProxyToken’ Vulnerability
Team ZDI has shared details about a serious security flaw it discovered in Microsoft Exchange Server.
As elaborated in their post, the vulnerability identified as ‘ProxyToken’ could allow reconfiguring Microsoft Exchange mailboxes without authentication. Consequently, an adversary could exploit the flaw to gain access to personally identifiable information (PII).
Briefly, the bug resided in the Delegated Authentication feature where the front-end of the Exchange server client sends authentication requests to the back-end that utilizes
SecurityToken cookie for authentication. However, the bug appears when the DelegatedAuthModule fails to load.
Code on the back end that examines and validates the
SecurityTokencookie is found in the class
Microsoft.Exchange.Configuration.DelegatedAuthentication.DelegatedAuthenticationModule… in a default configuration of the product, a
<remove>element appears, so that the module
DelegatedAuthModulewill not be loaded at all for the back-end ECP site.
Thus, the back-end fails to properly validate such requests received from the front-end that already forwarded it. As a result, the requests “sail through” without authentication.
when the front end sees the
SecurityTokencookie, it knows that the back end alone is responsible for authenticating this request. Meanwhile, the back end is completely unaware that it needs to authenticate some incoming requests based upon the
SecurityTokencookie, since the
DelegatedAuthModuleis not loaded in installations that have not been configured to use the special delegated authentication feature. The net result is that requests can sail through, without being subjected to authentication on either the front or back end.
Exploiting this bug required an adversary to have an account on the same Exchange Server as that of the target. It would then
Bug Fixed With July Patch Tuesday
Upon finding this vulnerability, the researchers responsibly disclosed the bug to Microsoft.
The tech giant deemed it an important severity vulnerability (CVE-2021-33766) that received a CVSS score of 7.3. It eventually patched the bug with July Patch Tuesday updates.
So, while Microsoft has addressed the risk, users must ensure keeping their systems up-to-date with the patches. This is especially important given how quickly the threat actors exploit such bugs for large-scale attacks.