Patched authentication bypass comes in wake of widespread exploitation of ‘ProxyShell’ vulnerabilities
UPDATED Microsoft has patched a fresh security vulnerability in Exchange Server that enables attackers to bypass authentication and snoop on employee emails.
The high severity flaw (CVSS 7.3) means unauthenticated assailants can install a forwarding rule on victims’ mailboxes that forwards incoming emails to their own account, according to a blog post published yesterday (August 30) by Trend Micro’s Zero Day Initiative (ZDI).
“Furthermore, it may be possible to use the ProxyToken bug to perform other illicit modifications to Exchange mailbox configuration,” ZDI communications manager Dustin Childs told The Daily Swig.
Dubbed ‘ProxyToken’, the flaw (CVE-2021-33766) was reported to the Zero Day Initiative in March 2021 by Le Xuan Tuyen of the Information Security Center of Vietnam Posts and Telecommunications Group (VNPT-ISC). Microsoft released a patch in July.
The disclosure is the latest in a string of serious vulnerabilities to surface in the market-leading enterprise mail server and follows a recent barrage of attacks targeting systems unpatched against ‘ProxyShell’ vulnerabilities.
Security researchers at Huntress Labs have found LockFile ransomware payloads and more than 200 hidden webshells among more than 4,000 Exchange servers since the Cybersecurity and Infrastructure Security Agency (CISA) urged users to update their systems on August 21.
The latest vulnerability relates to the ‘Delegated Authentication’ mechanism and impacts deployments in their default configuration.
Delegated Authentication means Microsoft Exchange’s front-end client for Outlook Web Access (OWA) and Exchange Control Panel (ECP) delegates the authentication of requests within /ecp to the back end if it finds a non-empty cookie named SecurityToken.
Le Xuan Tuyen found that, in installations not configured to use Delegated Authentication, “a <remove> element appears” in the /ecp/web.config on the back end, “so that the module DelegatedAuthModule will not be loaded at all for the back-end ECP site”, explained ZDI security researcher Simon Zuckerbraun.
“The net result is that requests can sail through, without being subjected to authentication on either the front or back end,” said Zuckerbraun.
The exploit requires that attackers have an account on the target Exchange Server – except for installations where administrators have permitted “forwarding rules with arbitrary internet destinations”, he added.
“Furthermore, since the entire /ecp site is potentially affected, various other means of exploitation may be available as well,” he added.
Although Dustin Childs notes that Microsoft has deemed the risk of exploitation as relatively unlikely, he says the ZDI has “a working proof of concept, so it would not surprise us to see this used in the wild in the near future”.
Microsoft apparently addressed the vulnerability in April but didn’t document it until the July release.
“Silent patches have caused many problems in the past and represent significant risks to enterprises,” said Childs. “While the goal should be for administrators to install every patch, this is simply not feasible for most networks. Network defenders need as much information as possible to prioritize their resources.”
A Microsoft spokesperson told The Daily Swig: “A security update was released in July. Customers who apply the update, or have automatic updates enabled, will be protected.”
‘Amazingly fertile area’
Exchange Server’s “enormous complexity, both in terms of feature set and architecture”, makes it “an amazingly fertile area for vulnerability research”, said Zuckerbraun.
Describing Exchange Server as “a buried treasure”, Tsai said ‘ProxyLogon’, which was involved in the compromise of hundreds of thousands of enterprise messaging servers in March, was potentially “the most severe vulnerability in the history of Microsoft Exchange”.
This article was updated with comments from Dustin Childs from the ZDI on August 31, and a comment from Microsoft on September 1.
DON’T FORGET TO READ Rampant misconfigurations in Microsoft Power Apps exposed 38 million records