An information-disclosure vulnerability dubbed ProxyToken has been identified in Microsoft Exchange Server that could be exploited by a threat actor to gain access to highly sensitive personal and corporate data stored in email accounts.
The vulnerability, tracked as CVE-2021-33766, would allow an attacker to copy all emails addressed to a target and forward them on to an account controlled by the attacker.
In a recent write up about the vulnerability, the Zero Day Initiative (ZDI) explained that Microsoft Exchange uses two websites: One is the default front end website which users connect to for web access to their emails, while the second website is a back end site which is involved in authentication. The front-end website is mostly just a proxy for the back end site.
“To allow access that requires forms authentication, the front end serves pages such as /owa/auth/logon.aspx,” said ZDI in a recent blog post. “For all post-authentication requests, the front end’s main role is to repackage the requests and proxy them to corresponding endpoints on the Exchange Back End site. It then collects the responses from the back end and forwards them to the client.”
The vulnerability is due to the “Delegated Authentication” feature, which is where the front end passes authentication requests directly to the back end as it cannot process authentication requests on its own. The front end relies on the back end to determine if a request has been properly authenticated, which is achieved by identifying the presence of a SecurityToken cookie. If the front end finds a non-empty cookie named SecurityToken, authentication is delegated to the back end.
Microsoft Exchange must be specifically configured to allow the back end to perform authentication checks, which requires the “DelegatedAuthModule” to be loaded on the back end site. In the default configuration it is not. That means that in certain configurations, the front-end knows that the back-end will be performing the authentication checks by the presence of the SecurityToken cookie, but the back-end does not know that some incoming requests need to be authenticated if the DelegatedAuthModule is not loaded. That means requests will pass through and will not be subject to authentication at either the front end or back end.
That means an attacker could easily set up a mail forwarding rule for a specific user, which will result in their emails being forwarded to the attacker’s designated email account. ZDI explained a scenario where an attacker could exploit the flaw to steal emails if an email account was set up on the same Exchange Server as the victim. “On some Exchange installations, an administrator may have set a global configuration value that permits forwarding rules having arbitrary Internet destinations, and in that case, the attacker does not need any Exchange credentials at all.” Various other methods of exploiting the flaw may also exist.
Security researcher Le Xuan Tuyen of VNPT ISC reported the flaw to the Zero Day Initiative and Microsoft patched the ProxyToken vulnerability in the cumulative updates for Microsoft exchange on July Patch Tuesday.