New Microsoft Exchange ProxyToken Vulnerability (1st September 2021)

Ref# AL2021_23 | Date: Sep 1st 2021

On the 30th August 2021, it was reported by Ravie Lakshmanan of the thehackernews, concerning a vulnerability within Microsoft Exchange, whereby a researcher by the name Le Xuan Tuyen at the information security Centre of Vietnam Posts and Telecommunications Group found a security vulnerability affecting the Microsoft Exchange Server that could be deployed by an unauthenticated attacker to redesign server configurations, whereby, this can lead to the disclosure of Personally Identifiable Information (PII).

Summary

An unauthenticated attacker can reconfigure mailboxes belonging to random users. Due to the impact, this can be used to duplicate emails addressed to a target and account and forward them to an account controlled by the attacker.

How it works

Due to the severity of this vulnerability, an attacker can perform configurations measures on mailboxes belonging to random users. The security flaw resides in a feature called Delegation Authentication, which entails a tool that allows the front-end websites of the Outlook web access (OWA) to pass authentication requests directly to the back end when a security token cookie is detected. However, since the Exchange has to be precisely configured to use the attribute and have the back-end carry out the checks, this can lead to a scenario in which the module handling this delegation (DelegatedAuthModule) isnt loaded under default configuration which leads to a bypass since the back end fails to authenticate incoming request based on Security Token cookies.

For further information on this vulnerability, kindly follow the URL:

https://thehackernews.com/2021/08/new-microsoft-exchange-proxytoken- flaw.html

Remediation

To safeguard against such attacks, Microsoft is recommending that users use its Patch Tuesday updates from July 2021. Updates can be found at the following URL:

https://msrc.microsoft.com/update-guide/releaseNote/2021-Jul

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

PDF Download: New Microsoft Exchange Proxy Token Vulnerability.pdf

References