'ProxyToken' Bug Put Microsoft Exchange Email at RiskMicrosoft Has Patched, But It's Another Ding in Exchange's Armor
Researchers have released details of a serious but now patched bug nicknamed "ProxyToken" in Microsoft's Exchange Server.
By exploiting the vulnerability, CVE-2021-33766, an attacker could access mailboxes and potentially forward emails they contain to their own account, writes Simon Zuckerbraun of Trend Micro's Zero Day Initiative in a blog post.
The vulnerability "can be used to copy all emails addressed to a target and account and forward them to an account controlled by the attacker," Zuckerbraun writes.
Patched in April
Microsoft patched the vulnerability in April's Patch Tuesday updates. The vulnerability, which affects Exchange Server 2013, 2016 and 2019, garnered a CVSS score of 7.3.
There was some initial confusion over exactly when Microsoft patched it due to an error made by the company. Microsoft inadvertently omitted the CVE from its notes describing its April security updates. Customers who installed the April updates are protected.
The vulnerability was discovered in March by Le Xuan Tuyen of Vietnam Post and Telecommunications Group's Information Security Center. He reported it to the Zero Day Initiative.
At the core of the problem is an authentication error. Zuckerbraun writes that Exchange's front end - such as Outlook Web Access or the Exchange Control Panel - sometimes passes authentication requests to the Exchange's back end. That occurs if an organization is using a feature called "Delegated Authentication," he writes.
Those authentication requests carry a SecurityToken cookie. But the problem comes when the back end does not load a module called DelegatedAuthModule.
"That means that "when the front end sees the SecurityToken cookie, it knows that the back end alone is responsible for authenticating this request," Zuckerbraun writes. "Meanwhile, the back end is completely unaware that it needs to authenticate some incoming requests based upon the SecurityToken cookie, since the DelegatedAuthModule is not loaded in installations that have not been configured to use the special delegated authentication feature. The net result is that requests can sail through, without being subjected to authentication on either the front or back end."
Rough Year for Exchange
It has been a difficult year for Microsoft Exchange. Earlier, one researcher found several high-impact flaws.
Cheng-Da Tsai - also known as Orange Tsai - of the Taiwanese penetration testing company Devcore discovered vulnerabilities in Exchange that are nicknamed ProxyShell, ProxyOracle and ProxyLogon (see: Microsoft Issues Security Advisory on ProxyShell Flaws).
Somehow, information related to the ProxyLogon bugs leaked prior to Microsoft issuing patches in early March. In July, the White House blamed China for indiscriminately attacking thousands of vulnerable Exchange servers. Some of those servers had ransomware installed (see: How Did the Exchange Server Exploit Leak?).
"Exchange is attracting a lot of interest this year," Arntz writes. "Everyone’s a fan. All of these vulnerabilities are being actively scanned for and exploited by malware peddlers, including ransomware gangs."
Zuckerbraun says there could be many more problems lurking in Exchange Server, a concern previously expressed by Orange Tsai.
"Exchange Server continues to be an amazingly fertile area for vulnerability research," Zuckerbraun writes. "This can be attributed to the product’s enormous complexity, both in terms of feature set and architecture. We look forward to receiving additional vulnerability reports in the future from our talented researchers who are working in this space."