Facts have emerged about a now-patched security vulnerability impacting the Microsoft Exchange Server that could be weaponized by an unauthenticated attacker to modify server configurations, as a result top to the disclosure of Individually Identifiable Information and facts (PII).
The problem, tracked as CVE-2021-33766 (CVSS score: 7.3) and coined “ProxyToken,” was discovered by Le Xuan Tuyen, a researcher at the Information and facts Safety Centre of Vietnam Posts and Telecommunications Group (VNPT-ISC) and documented via the Zero-Working day Initiative (ZDI) application in March 2021.
“With this vulnerability, an unauthenticated attacker can accomplish configuration actions on mailboxes belonging to arbitrary customers,” the ZDI explained Monday. “As an illustration of the affect, this can be utilized to duplicate all e-mail resolved to a concentrate on and account and forward them to an account controlled by the attacker.”
Microsoft addressed the challenge as component of its Patch Tuesday updates for July 2021.
The safety concern resides in a attribute called Delegated Authentication, which refers to a mechanism whereby the entrance-conclude internet site — the Outlook world wide web obtain (OWA) consumer — passes authentication requests specifically to the back again-conclude when it detects the presence of a SecurityToken cookie.
Nevertheless, considering that Exchange has to be exclusively configured to use the function and have the back-conclusion carry out the checks, it leads to a situation in which the module managing this delegation (“DelegatedAuthModule”) isn’t loaded underneath default configuration, culminating in a bypass as the back-close fails to authenticate incoming requests centered on the SecurityToken cookie.
“The internet outcome is that requests can sail by means of, with no currently being subjected to authentication on either the front or back conclusion,” ZDI’s Simon Zuckerbraun explained.
The disclosure provides to a increasing checklist of Exchange Server vulnerabilities that have occur to light-weight this calendar year, which includes ProxyLogon, ProxyOracle, and ProxyShell, which have actively exploited by risk actors to take above unpatched servers, deploy malicious web shells and file-encrypting ransomware these kinds of as LockFile.
Troublingly, in-the-wild exploit makes an attempt abusing ProxyToken have now been recorded as early as August 10, in accordance to NCC Group security researcher Prosperous Warren, creating it essential that buyers go quickly to use the stability updates from Microsoft.