The CVE-2021-33766 bug, also known as Proxy Token vulnerability, in Microsoft Exchange Server can help threat actors steal victims’ personal information, company-related confidential data, and more.
The Proxy Token Vulnerability
Proxy Token, a critical Microsoft Exchange Server security vulnerability, can enable an unauthenticated attacker to gain access to and steal emails from a victim’s mailbox.
Microsoft Exchange uses two websites: the front-end site, where users log in to access email, and the back-end site that manages the authentication function.
“The front-end website is mostly just a proxy to the back end. To allow access that requires forms authentication, the front end serves pages such as /owa/auth/logon.aspx,” according to a Monday posting on the bug from Trend Micro’s Zero Day Initiative. “For all post-authentication requests, the front end’s main role is to repackage the requests and proxy them to corresponding endpoints on the Exchange Back End site. It then collects the responses from the back end and forwards them to the client.”
The problem hides in ‘Delegated Authentication,’ a feature where the front end passes authentication requests directly to the back end. These requests include a SecurityToken cookie to identify them. However, Exchange needs to be specifically set to have the back-end site perform the authentication checks. Unfortunately, the module in charge of that isn’t loaded in the default configuration.
“When the front end sees the SecurityToken cookie, it knows that the back end alone is responsible for authenticating this request,” according to ZDI. “Meanwhile, the back end is completely unaware that it needs to authenticate some incoming requests based upon the SecurityToken cookie since the DelegatedAuthModule is not loaded in installations that have not been configured to use the special delegated authentication feature. The net result is that requests can sail through, without being subjected to authentication on either the front or back end.”
From that point, a hacker can install a forwarding rule to allow them to snoop in the victim’s emails.
“With this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users,” according to the post. “As an illustration of the impact, this can be used to copy all emails addressed to a target and account and forward them to an account controlled by the attacker.”
Threat Actors Do Not Need Valid Exchange Credentials To Compromise A Victim’s Email
ZDI also highlighted a potential attack scenario in which a threat actor has an account on the same Microsoft Exchange server as their victim. However, if an administrator gives permission to forwarding rules with random internet destinations, Exchange credentials are not needed whatsoever.
“On some Exchange installations, an administrator may have set a global configuration value that permits forwarding rules having arbitrary Internet destinations, and in that case, the attacker does not need any Exchange credentials at all,” the post notes. “Furthermore, since the entire /ecp [Exchange Control Panel] site is potentially affected, various other means of exploitation may be available as well.”
Researcher Le Xuan Tuyen of VNPT was the one to report the bug (CVE-2021-33766) to the Zero Day Initiative, and Microsoft patched it in the July Exchange cumulative updates. Organizations are advised to update their software products to neutralize data leak risks.
The Proxy Token vulnerability discovery comes on the heels of the disclosure of Proxy Logon in early March, wherein hackers leveraged four Exchange flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065), which together create a pre-authentication remote code execution (RCE) exploit. Cybercriminals can seize control of unpatched servers without needing to enter any valid account credentials, giving them access to email communications and the ability to install a web shell for further attacks within the environment. Proxy Logon became a hackers’ favorite in wide-scale attacks this spring.