Application Security , Governance & Risk Management , Next-Generation Technologies & Secure Development

'ProxyToken' Bug Put Microsoft Exchange Email at Risk

Microsoft Has Patched, But It's Another Ding in Exchange's Armor
'ProxyToken' Bug Put Microsoft Exchange Email at Risk
Microsoft's store in New York (Photo: Microsoft)

Researchers have released details of a serious but now patched bug nicknamed "ProxyToken" in Microsoft's Exchange Server.

See Also: OnDemand Webinar | Cloud applications: A Zero Trust approach to security in Healthcare

By exploiting the vulnerability, CVE-2021-33766, an attacker could access mailboxes and potentially forward emails they contain to their own account, writes Simon Zuckerbraun of Trend Micro's Zero Day Initiative in a blog post.

The vulnerability "can be used to copy all emails addressed to a target and account and forward them to an account controlled by the attacker," Zuckerbraun writes.

Patched in April

Microsoft patched the vulnerability in April's Patch Tuesday updates. The vulnerability, which affects Exchange Server 2013, 2016 and 2019, garnered a CVSS score of 7.3.

There was some initial confusion over exactly when Microsoft patched it due to an error made by the company. Microsoft inadvertently omitted the CVE from its notes describing its April security updates. Customers who installed the April updates are protected.

The vulnerability was discovered in March by Le Xuan Tuyen of Vietnam Post and Telecommunications Group's Information Security Center. He reported it to the Zero Day Initiative.

At the core of the problem is an authentication error. Zuckerbraun writes that Exchange's front end - such as Outlook Web Access or the Exchange Control Panel - sometimes passes authentication requests to the Exchange's back end. That occurs if an organization is using a feature called "Delegated Authentication," he writes.

Those authentication requests carry a SecurityToken cookie. But the problem comes when the back end does not load a module called DelegatedAuthModule.

"That means that "when the front end sees the SecurityToken cookie, it knows that the back end alone is responsible for authenticating this request," Zuckerbraun writes. "Meanwhile, the back end is completely unaware that it needs to authenticate some incoming requests based upon the SecurityToken cookie, since the DelegatedAuthModule is not loaded in installations that have not been configured to use the special delegated authentication feature. The net result is that requests can sail through, without being subjected to authentication on either the front or back end."

Rough Year for Exchange

It has been a difficult year for Microsoft Exchange. Earlier, one researcher found several high-impact flaws.

Cheng-Da Tsai - also known as Orange Tsai - of the Taiwanese penetration testing company Devcore discovered vulnerabilities in Exchange that are nicknamed ProxyShell, ProxyOracle and ProxyLogon (see: Microsoft Issues Security Advisory on ProxyShell Flaws).

Somehow, information related to the ProxyLogon bugs leaked prior to Microsoft issuing patches in early March. In July, the White House blamed China for indiscriminately attacking thousands of vulnerable Exchange servers. Some of those servers had ransomware installed (see: How Did the Exchange Server Exploit Leak?).

Those vulnerabilities collectively are offering opportunities for attackers, writes Pieter Arntz, a malware analyst with Malwarebytes, in a blog post.

"Exchange is attracting a lot of interest this year," Arntz writes. "Everyone’s a fan. All of these vulnerabilities are being actively scanned for and exploited by malware peddlers, including ransomware gangs."

Zuckerbraun says there could be many more problems lurking in Exchange Server, a concern previously expressed by Orange Tsai.

"Exchange Server continues to be an amazingly fertile area for vulnerability research," Zuckerbraun writes. "This can be attributed to the product’s enormous complexity, both in terms of feature set and architecture. We look forward to receiving additional vulnerability reports in the future from our talented researchers who are working in this space."


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.