New 'ProxyToken' Flaw In Microsoft Exchange Lets Attackers Reconfigure Mailboxes

New ‘ProxyToken’ Flaw In Microsoft Exchange Lets Attackers Reconfigure Mailboxes

Details about a newly-patched security issue affecting Microsoft Exchange Server have emerged. Tracked as CVE-2021-33766 (CVSS score: 7.3), the flaw could allow an attacker to modify the server’s configurations and expose sensitive Personally Identifiable Information (PII).

Dubbed “ProxyToken,” the issue was identified by Le Xuan Tuyen, an expert from Viet Telecom Group’s Information Security Center. It was reported to Microsoft’s Zero-Day Initiative (ZDI) in March 2021.

“With this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users,” the ZDI said Monday. “As an illustration of the impact, this can be used to copy all emails addressed to a target and account and forward them to an account controlled by the attacker.”

Microsoft has patched the bug as part of its Patch Tuesday updates for July 2021.

The issue pertains to a feature called Delegated authentication, which is a mechanism when a front-end website sends authentication requests to the back-end when it detects the presence of a SecurityToken cookie.

“When the front end sees the SecurityToken cookie, it knows that the back end alone is responsible for authenticating this request. Meanwhile, the back end is completely unaware that it needs to authenticate some incoming requests based upon the SecurityToken cookie since the DelegatedAuthModule is not loaded in installations that have not been configured to use the special delegated authentication feature. The net result is that requests can sail through, without being subjected to authentication,” Simon Zuckerbraun of the Zero-Day Initiative (ZDI) explained.

The disclosure of these issues widens the list of known Exchange Server vulnerability issues, which include ProxyLogon, ProxyOracle, and ProxyShell, that have been exploited by attackers to take over unpatched systems of multiple organizations.

According to Rich Warren, an experienced security researcher, the exploitation attempts targeting ProxyToken were already recorded in August. It is highly critical that customers immediately apply the security updates released by Microsoft.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.