Microsoft has patched ProxyToken, the most recent in a string of serious Exchange server vulnerabilities. It’s recommended that on-prem Exchange servers are patched ASAP.
Background
Included with the July 2021 Exchange Cumulative Update patch is a fix to the ProxyToken vulnerability.
Though specific configurations are required to pull off this attack, it is possible for an attacker to perform arbitrary actions on a victim’s mailbox. This includes copying all emails from the victim’s mailbox, or setting up forwarding rules to capture new emails.
This is the most recent in a series of severe Exchange server vulnerabilities patched by Microsoft. Researchers have detected active exploit attempts in the wild as early as August 10th.
ProxyToken Details
Researchers revealed a new Exchange Server Vulnerability to the Zero Day Initiative called ProxyToken.
It takes advantage of the fact that the Exchange Server configures two web pages for serving content: A front-end page used for Outlook Clients to connect and view emails, and a backend page to interact with the server directly.
One of the functions of the frontend page is to proxy auth connections to the backend page. Researchers were able to exploit this proxying activity when the backend page is not configured to support Delegated Authentication, a feature provided by the DelegatedAuthenticationModule, a feature to allow for support of authentication in cross-forest AD topologies.
In configurations where the DelegatedAuthenticationModule isn’t loaded, the attacker can include a SecurityToken cookie within their request. This informs the Exchange Client page that the server is utilizing a Delegated Authentication request, passing the authentication to the Exchange Server backend.
The backend, not being able to properly authenticate such requests, effectively grants the request. Technically, this request will get a 500 error without a valid ECP Canary. Yet, the researchers were able to utilize the valid Canary attached to the 500 error in a subsequent request to bypass this validation.
Exploitation of this vulnerability would allow an authenticated attacker to perform configuration activities on mailboxes contained by arbitrary users. In the Proof of Concept, the researchers used this to copy all emails from a victim’s mailbox to an attacker’s mailbox.
The researcher warns that if the Exchange Server is configured to permit email forwarding rules to arbitrary destinations on the Internet, the attacker does not even require Exchange credentials.
After responsible disclosure of this vulnerability, Microsoft included a patch for this vulnerability in the July 2021 Exchange Cumulative Updates patch.
Given this vulnerability and a series of recently patched Exchange Vulnerabilities (Including ProxyToken, ProxyShell, ProxyLogin and ProxyOracle, effectively summarized here), it is highly recommended on-prem Exchange servers are fully patched.
Mitigations
Apply the July 2021 Exchange Cumulative Update patch to ensure protection against ProxyToken, as well as the other recent Zero Day Initiative Exchange vulnerabilities.
Resources
Zero Day Initiative Writeup from Researcher:
https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server
Official Microsoft Advisory:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33766
Summary of Recent Exchange Vulnerabilities, including ProxyToken:
https://thehackernews.com/2021/08/hackers-actively-searching-for.html
