Details have emerged about a now-affected security vulnerability affecting Microsoft Exchange Server that an unauthenticated attacker could arm to modify server configuration, which led to the disclosure of personally identifiable information (PII).
The problem, followed as CVE-2021-33766 (CVSS score: 7.3) and coined “ProxyToken“, was discovered by Le Xuan Tuyen, a researcher at the Information Security Center of the Vietnam Post and Telecommunications Group (VNPT-ISC), and reported through the Zero Day Initiative (ZDI) program in March 2021.
“With this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes that belong to arbitrary users,” the ZDI said Monday. “As an illustration of the impact, it can be used to copy all emails aimed at a target and an account and forward them to an account controlled by the attacker.”
Microsoft addressed the issue as part of the July 2021 Patch Tuesday updates.
The security flaw lies in a feature called Delegated Authentication, which refers to a mechanism by which the front-end website (the Outlook Web Access Client) (OWA) passes authentication requests directly to the back -end when it detects the presence of a SecurityToken cookie. .
However, since the Exchange must be specifically configured to use the function and have the back-end perform checks, it leads to a scenario where the module that manages this delegation (“DelegatedAuthModule”) is not loaded under configuration default, culminating in a bypass, as the back-end fails to authenticate incoming requests based on the SecurityToken cookie.
“The net result is that applications can navigate without having to be authenticated on either the front or back,” explains Simon Zuckerbraun of ZDI.
The disclosure adds to a growing list of Exchange Server vulnerabilities that have come to light this year, including ProxyLogon, ProxyOracle, and ProxyShell, which have been actively exploited by threatening actors to take over unattached servers. deploy malicious web interpreters and encrypt the ransomware file. such as LockFile.
Worryingly, wild exploitation attempts abusing ProxyToken have already been recorded on August 10, seconds to NCC group security researcher Rich Warren, so it’s imperative that customers move quickly to implement Microsoft security updates.