Connect with us

Hi, what are you looking for?

Cyber Security

Microsoft Exchange Server had ‘ProxyToken’ vulnerability that leaked incoming emails

Microsoft has patched a fresh security vulnerability in Exchange Server that enables attackers to bypass authentication and snoop on employee emails.

The high severity flaw (CVSS 7.3) means unauthenticated assailants can install a forwarding rule on victims’ mailboxes that forwards incoming emails to their own account, according to a blog post published yesterday (August 30) by the Zero Day Initiative (ZDI).

Dubbed ‘ProxyToken’, the flaw (CVE-2021-33766) was reported to the Zero Day Initiative in March 2021 by Le Xuan Tuyen of the Information Security Center of Vietnam Posts and Telecommunications Group (VNPT-ISC). Microsoft released a patch in July.

The disclosure is the latest in a string of serious vulnerabilities to surface in the market-leading enterprise mail server and follows a recent barrage of attacks targeting systems unpatched against ‘ProxyShell’ vulnerabilities.

Security researchers at Huntress Labs have found LockFile ransomware payloads and more than 200 hidden webshells among more than 4,000 Exchange servers since the Cybersecurity and Infrastructure Security Agency (CISA) urged users to update their systems on August 21.

Authentication delegation

The latest vulnerability relates to the ‘Delegated Authentication’ mechanism and impacts deployments in their default configuration.

Delegated Authentication means Microsoft Exchange’s front-end client for Outlook Web Access (OWA) and Exchange Control Panel (ECP) delegates the authentication of requests within /ecp to the back end if it finds a non-empty cookie named SecurityToken.

Le Xuan Tuyen found that, in installations not configured to use Delegated Authentication, “a <remove> element appears” in the /ecp/web.config on the back end, “so that the module DelegatedAuthModule will not be loaded at all for the back-end ECP site”, explained ZDI security researcher Simon Zuckerbraun.

In layman’s terms, this means the front end is informed that responsibility for authenticating the request lies with the back end – which is oblivious to the obligation.

“The net result is that requests can sail through, without being subjected to authentication on either the front or back end,” said Zuckerbraun.

The exploit requires that attackers have an account on the target Exchange Server – except for installations where administrators have permitted “forwarding rules with arbitrary internet destinations”, said Zuckerbraun.

“Furthermore, since the entire /ecp site is potentially affected, various other means of exploitation may be available as well,” he added.

‘Amazingly fertile area’

Exchange Server’s “enormous complexity, both in terms of feature set and architecture”, makes it “an amazingly fertile area for vulnerability research”, said Zuckerbraun.

This comment echoed similar sentiments expressed recently by fellow researcher Orange Tsai in relation to his ‘ProxyShell’, ‘ProxyOracle’, and ‘ProxyLogon’ exploits at Black Hat USA 2021.

Describing Exchange Server as “a buried treasure”, Tsai said ‘ProxyLogon’, which was involved in the compromise of hundreds of thousands of enterprise messaging servers in March, was potentially “the most severe vulnerability in the history of Microsoft Exchange”.

Advertisement. Scroll to continue reading.

The Daily Swig has contacted Microsoft and the ZDI for further comment. we will update the article if comments are forthcoming.

Source: https://portswigger.net/daily-swig/microsoft-exchange-server-had-proxytoken-vulnerability-that-leaked-incoming-emails

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Researchers at the RWTH Aachen University in Germany published a study revealing that tens of thousands of container images hosted on Docker Hub contain...

Cyber Security

The precautions and techniques that have been put in place for the protection of email messages from unauthorized access, interception or manipulation is regarded...

Cyber Security

Mondelez Global LLC, the parent company of Oreo cookies and other major food products have released a notice stating that Oreo cookie maker Hacked,...

Cyber Security

airBaltic, Latvia’s flag carrier has acknowledged that a ‘technical error’ exposed reservation details of some of its passengers to other airBaltic passengers. Passengers also reported...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO