New Microsoft Trade ‘ProxyToken’ Flaw Lets Attackers Reconfigure Mailboxes

Microsoft Exchange

Particulars have emerged a couple of now-patched safety vulnerability impacting the Microsoft Trade Server that could possibly be weaponized by an unauthenticated attacker to change server configurations, thus resulting in the disclosure of Personally Identifiable Info (PII).

The problem, tracked as CVE-2021-33766 (CVSS rating: 7.3) and coined “ProxyToken,” was found by Le Xuan Tuyen, a researcher on the Info Safety Heart of Vietnam Posts and Telecommunications Group (VNPT-ISC) and reported via the Zero-Day Initiative (ZDI) program in March 2021.

Stack Overflow Teams

“With this vulnerability, an unauthenticated attacker can carry out configuration actions on mailboxes belonging to arbitrary customers,” the ZDI said Monday. “As an illustration of the affect, this can be utilized to repeat all emails addressed to a goal and account and ahead them to an account managed by the attacker.”

Microsoft addressed the difficulty as a part of its Patch Tuesday updates for July 2021.

The safety situation resides in a function known as Delegated Authentication, which refers to a mechanism whereby the front-end web site — the Outlook internet entry (OWA) consumer — passes authentication requests on to the back-end when it detects the presence of a SecurityToken cookie.

Microsoft Exchange ProxyToken

Nonetheless, since Trade needs to be particularly configured to make use of the function and have the back-end perform the checks, it results in a situation by which the module dealing with this delegation (“DelegatedAuthModule”) is not loaded underneath default configuration, culminating in a bypass because the back-end fails to authenticate incoming requests based mostly on the SecurityToken cookie.

“The online result’s that requests can sail via, with out being subjected to authentication on both the entrance or again finish,” ZDI’s Simon Zuckerbraun defined.

Enterprise Password Management

The disclosure provides to a rising record of Trade Server vulnerabilities which have come to gentle this yr, together with ProxyLogon, ProxyOracle, and ProxyShell, which have actively exploited by risk actors to take over unpatched servers, deploy malicious internet shells and file-encrypting ransomware akin to LockFile.

Troublingly, in-the-wild exploit makes an attempt abusing ProxyToken have already been recorded as early as August 10, according to NCC Group safety researcher Wealthy Warren, making it crucial that clients transfer rapidly to use the safety updates from Microsoft.

Source link