Details have emerged of (another) Exchange Server vulnerability, called ProxyToken, which allows an attacker to reconfigure an Exchange server remotely without needing to know any passwords.
Reported by the Zero Day Initiative the vulnerability affects Exchange server versions 2013 through 2019:
With this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users. As an illustration of the impact, this can be used to copy all emails addressed to a target and account and forward them to an account controlled by the attacker.
~ Zero Day Initiative
Tracked as CVE-2021-33766 this vulnerability was addressed in the April and July security patches according to Microsoft – although it was omitted from the documentation of the April patch bundle.
The vulnerability is caused by a pair of errors in the Exchange code. Architecturally, Exchange Server includes two IIS instances, one which is essentially a proxy server on the front end that handles client requests for Outlook Web Access (OWA) and the second named ‘Exchange Back End’ which processes requests from the front end server. The front end server usually handles authentication but can delegate this to the back end server in certain circumstances. The vulnerability exists because the front end can be tricked into delegating authentication to the back end simply by including a cookie called SecurityToken in a request – and the back end server in a default configuration does not have the authentication module enabled and the code is designed to ‘fail open’ meaning the authentication is assumed to have worked. As a result, an unauthenticated attacker can issue commands to the Exchange Back End server causing it to disclose information and even amend configuration settings such as mail forwarding rules.
Full details of the bug are covered by the Zero Day Initiative blog post and make informative reading for developers and software architects interested in designing security into their software.
System Admins still catching up on their summer security patches should pay special attention to their Microsoft Exchange servers which have been put in the spotlight this year with a series of serious and well publicised vulnerabilities.