Security researcher Le Xuan Tuyen found a Microsoft Exchange server bug that enables menace actors to entry person’s emails via an authentication bypass flaw.
Dubbed ProxyToken, CVE-2021-33766 permits an attacker to change e-mail forwarding guidelines to copy all emails addressed to a goal to an account managed by the attacker.
The bug originates from the best way Microsoft Exchange servers deal with authentication between the frontend and backend techniques via delegated authentication.
ProxyToken is the most recent bug plaguing the Microsoft Exchange e-mail server after the ProxyShell vulnerability used to deploy LockFile ransomware.
Exchange Servers susceptible from Delegated Authentication bypass flaw
The safety researcher famous that Microsoft Exchange servers use two web sites to render emails. The frontend consists of Outlook Web Access (OWA) and Exchange Control Panel (ECP). The default web site listens to ports 80 for HTTP and 443 for HTTPS.
For requests that require types authentication, the frontend hundreds authentication types like /owa/auth/logon.aspx. Clients additionally hook up with the frontend utilizing internet companies. However, the front-end acts as a proxy for repackaging requests and sending them to the backend, and forwarding responses to the shoppers.
The backend website known as the “Exchange Back End” listens to ports 81 for HTTP and 444 for HTTPS. To set off the vulnerability, an attacker sends authentication requests containing a non-empty SecurityToken cookie via the /ecp route. When the entrance finish finds this token, it understands that the backend is solely accountable for authentication and forwards the request. However, the backend should be configured to carry out authentication checks, however the DelegatedAuthModule will not be loaded within the Exchange Server’s default configuration. Thus, the backend doesn’t know that it must authenticate incoming requests based mostly on this SecurityToken, in line with the Zero Day Initiative (ZDI) blog post.
An attacker additionally wants the “ECP canary” ticket that may be obtained by triggering an HTTP 500 error that incorporates a legitimate string essential for unauthenticated requests.
The web consequence is that requests initiated via this course of will not be subjected to authentication from both the entrance finish or the backend.
Authentication bypass permits attackers to configure actions on sufferer’s mailbox
Consequently, the attacker can carry out arbitrary configuration actions on the sufferer’s mailbox, together with copying all emails and forwarding them to their mailboxes on the identical server. This course of would require authentication and the attacker being positioned on the Exchange server.
However, if the Exchange servers’ administrator permits forwarding to exterior e-mail addresses, the attacker doesn’t require authentication. Based on these situations, ProxyToken authentication bypass vulnerability scored 7.3 on the CVSS scale.
Microsoft launched patches for the Exchange server authentication bypass vulnerability within the July 2021 cumulative updates. However, a repair was already obtainable within the March 2021 safety updates.
“This is an attention-grabbing safety vulnerability, however as a result of this requires an present energetic account on Microsoft Exchange to start with … this isn’t an enormous exterior menace,” Roger Grimes, data-driven protection evangelist at KnowBe4, stated. “It can be utilized as a part of a chained exploit the place the attacker has already gained entry, and it may be used for spear phishing, eavesdropping, and even escalation of privilege assaults … so it isn’t nothing.
“Anyone can assume up some malicious assaults utilizing it if the preliminary entry is already gained. We most probably is not going to see lots of unlawful abuse of it. Still, good discover for the discoverer and it’s a good factor that there’s already a patch for it.”
Threat actors exploiting ProxyToken authentication bypass vulnerability within the wild
Attempts to use susceptible Exchange servers have been detected within the wild earlier than Microsoft launched patches.
According to NCC Group researcher Rick Warren, menace actors tried to set off authentication bypass vulnerability on Exchange servers since August 10, three weeks earlier than the bug was disclosed. However, Microsoft Security Response Center (MSRC) listed the authentication bypass vulnerability as not publicly exploited and fewer prone to be exploited.
The researchers famous that Microsoft Exchange servers remained a fertile space for bug searching. They attributed its vulnerability to wealthy featureset and complicated structure. As the researchers posited, the authentication bypass vulnerability is hardly the final safety flaw to have an effect on Microsoft Exchange servers.