ProxyToken Flaw Heightens Concerns Over Security of Microsoft Exchange Server

  /     /     /  
Publicated : 23/11/2024   Category : security


ProxyToken Flaw Heightens Concerns Over Security of Microsoft Exchange Server


New flaw is one among several that have been disclosed in the software over the past several months.



A new Microsoft Exchange Server vulnerability disclosed this week by security researchers from Trend Micros Zero Day Initiative (ZDI) has exacerbated concerns about the technologys vulnerability to a range of dangerous, new attacks.
The flaw, which ZDI researchers have dubbed ProxyToken, allows an authenticated attacker to configure email boxes belonging to arbitrary users so the adversary can, for instance, surreptitiously copy emails addressed to a target or forward emails to an attacker-controlled account. An adversary would need to be on the same Exchange server as the victim to successfully execute the attack. Microsoft issued a patch for this information-disclosure vulnerability, 
CVE-2021-33766
, in its July 2021 cumulative update for Exchange.
From a severity standpoint, the ProxyToken vulnerability is relatively less critical compared with some other security bugs recently discovered in Exchange Server. Those include a set of four flaws in March that some collectively refer to as ProxyLogon, and another set of three bugs disclosed last month called ProxyShell. Both sets of flaws, when chained, allow attackers to take control of impacted systems and remotely execute malicious code on them.
Attackers, most notably a China-backed threat group called Hafnium, is believed to have exploited or attacked the
ProxyLogon
flaws on some 30,000 systems belonging to numerous organizations in the US and elsewhere before Microsoft issued an update. The flaws sparked widespread concern both because of their ubiquity and because they gave attackers a way to gain and maintain persistent access on enterprise networks. The ProxyShell flaws similarly triggered an
advisory
from the Department of Homeland Securitys Cybersecurity & Infrastructure Security Agency (CISA) amid reports of mass exploits of the bugs in late August.
The
ProxyToken flaw
that ZDI disclosed this week further demonstrates how Exchange presents a highly valuable and vulnerability-rich attack surface for threat actors. This is definitely a serious flaw as it could allow an attacker to automatically forward emails from a target server to one they control, says Dustin Childs, communications manager with Trend Micros ZDI.
Attackers could potentially use the bug to make other illicit modifications to Exchange mailbox configurations besides the creation of forwarding rules, he says. But unlike the previous Exchange bugs, this cannot be used for code execution, Childs adds.
ZDI researchers have so far not observed active exploitation of the flaw in the wild, he says, but we have a working proof-of-concept, so it would not surprise us to see this used in the wild in the near future.
The ProxyToken vulnerability itself stems from the way Exchange Server is architected to handle authentication requests under some conditions, according to ZDI. For access requests that require certain types of authentication, a front-end component serves pages such as Outlook Web Access (OWA) and logon.aspx. 
For all post-authentication requests, the front ends main role is to repackage the requests and proxy them to corresponding endpoints on the Exchange Back End site. It then collects the responses from the back end and forwards them to the client, ZDI said.
However, in some situations, the front end passes on access requests directly to the back end, and leaves it to the back end to determine whether the access request has been authenticated. But unless the Exchange installation has been specifically configured to use a so-called delegated authentication feature, the back end will not authenticate the incoming request either, giving attackers an opening to exploit.
System administrators should carefully monitor their Exchange servers for unusual activity or network traffic, Childs says. While there are no known mitigations for this vulnerability, using a defense-in-depth approach, such as restrictive access and endpoint detection, can help network defenders protect from and remediate attacks as they occur, he notes.
Mitigation Measures
Sean Nikkel, senior cyber threat intel analyst at Digital Shadows, says organizations should prioritize applying the patches that Microsoft has released for ProxyToken and the earlier Exchange vulnerabilities. Though there hasnt been any observed exploit activity yet targeting the newest flaw, its likely attackers will start going after it soon, he says. 
Weve already seen attackers quickly adapt and use earlier exploits such as ProxyLogon and ProxyShell this year, so it only stands to reason that ProxyToken is next in line, especially given factors of no authentication, no user interaction, and no privileges required to make it work, Nikkel says.
Daniel Katz, director of solution engineering at Vulcan Cyber, says organizations that are applying Microsofts updates for the Exchange flaw need to realize their systems may require a restart later. There are also some known issues within each of these updates, so it’s important to be aware of potential impact when implementing them, he says. 
Organizations with up-to-date operating systems as of the last patch on August 10 should be safe, Katz says.
Organizations that cannot update their Exchange servers immediately should consider implementing Microsofts instructions for mitigating the vulnerabilities via reconfiguration. 
Microsoft also released an automatic on-premises Exchange Server mitigation now available in Microsoft Defender Antivirus, Katz says. It’s important to remember that the mitigations suggested are not substitutes for installing the updates, and the patches should be deployed as soon as possible.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
ProxyToken Flaw Heightens Concerns Over Security of Microsoft Exchange Server