In April, Microsoft closed another, previously unknown, hole in the Exchange Server. ProxyToken cleverly bypasses the authentication for access to the configuration of an Exchange account. An attacker could use it to redirect incoming mail from an Exchange user to another account.
When exploiting the proxy token gap, the attacker plays the Exchange front end and the back end off against each other. To do this, it signals the front end with a special cookie named
SecurityTokenthat the backend would be ready for authentication. This is a function that is necessary for logging into complex Exchange installations (“Delegated Authentication” in cross-forest topologies).
You take it, I’ll have it for sure
Unfortunately, in the standard configuration, the backend does not load the DelegatedAuthModule module required for this at all and instead assumes that the frontend has already done the authentication. As a result, the attacker can pass on his configuration change to the backend without any login data.
This gap was discovered by the Vietnamese security researcher Le Xuan Tuyen, who reported it to the ZDI. These describe in a blog post the underlying problem now more precisely. They also explain that the current exploit only works in the default settings if the attacker himself also has an account on the same server to which he can forward the mail.
Microsoft apparently already has the CVE-2021-33766 vulnerability the April updates for Exchange closed. But they did not add a note to the documentation until August 24th. And he just speaks of a “vulnerability in Microsoft Exchange Server regarding disclosure of information” without further details. The ZDI article currently claims that the gap would be closed with the July updates. But a Microsoft employee contradicts this in his Clarification of which CVEs are fixed in which CU will
Microsoft’s patch policy for Exchange has already received a lot of criticism. Badly documented or not at all documented security patches make the administrators’ work unnecessarily difficult. The inscrutable muddle between cumulative updates, which also bring changes in functionality, and pure security updates repeatedly causes confusion and ultimately insecure Exchange servers. One could almost get the impression that Microsoft is consciously accepting this so that frustrated customers can finally switch to their Microsoft 365 cloud offering.