A new Microsoft Exchange Server vulnerability disclosed this week by security researchers from Trend Micro's Zero Day Initiative (ZDI) has exacerbated concerns about the technology's vulnerability to a range of dangerous, new attacks.
The flaw, which ZDI researchers have dubbed ProxyToken, allows an authenticated attacker to configure email boxes belonging to arbitrary users so the adversary can, for instance, surreptitiously copy emails addressed to a target or forward emails to an attacker-controlled account. An adversary would need to be on the same Exchange server as the victim to successfully execute the attack. Microsoft issued a patch for this information-disclosure vulnerability, CVE-2021-33766, in its July 2021 cumulative update for Exchange.
From a severity standpoint, the ProxyToken vulnerability is relatively less critical compared with some other security bugs recently discovered in Exchange Server. Those include a set of four flaws in March that some collectively refer to as ProxyLogon, and another set of three bugs disclosed last month called ProxyShell. Both sets of flaws, when chained, allow attackers to take control of impacted systems and remotely execute malicious code on them.
Attackers, most notably a China-backed threat group called Hafnium, is believed to have exploited or attacked the ProxyLogon flaws on some 30,000 systems belonging to numerous organizations in the US and elsewhere before Microsoft issued an update. The flaws sparked widespread concern both because of their ubiquity and because they gave attackers a way to gain and maintain persistent access on enterprise networks. The ProxyShell flaws similarly triggered an advisory from the Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) amid reports of mass exploits of the bugs in late August.
The ProxyToken flaw that ZDI disclosed this week further demonstrates how Exchange presents a highly valuable and vulnerability-rich attack surface for threat actors. "This is definitely a serious flaw as it could allow an attacker to automatically forward emails from a target server to one they control," says Dustin Childs, communications manager with Trend Micro's ZDI.
Attackers could potentially use the bug to make other illicit modifications to Exchange mailbox configurations besides the creation of forwarding rules, he says. "But unlike the previous Exchange bugs, this cannot be used for code execution," Childs adds.
ZDI researchers have so far not observed active exploitation of the flaw in the wild, he says, but "we have a working proof-of-concept, so it would not surprise us to see this used in the wild in the near future."
The ProxyToken vulnerability itself stems from the way Exchange Server is architected to handle authentication requests under some conditions, according to ZDI. For access requests that require certain types of authentication, a front-end component serves pages such as Outlook Web Access (OWA) and logon.aspx.
"For all post-authentication requests, the front end's main role is to repackage the requests and proxy them to corresponding endpoints on the Exchange Back End site. It then collects the responses from the back end and forwards them to the client," ZDI said.
However, in some situations, the front end passes on access requests directly to the back end, and leaves it to the back end to determine whether the access request has been authenticated. But unless the Exchange installation has been specifically configured to use a so-called delegated authentication feature, the back end will not authenticate the incoming request either, giving attackers an opening to exploit.
"System administrators should carefully monitor their Exchange servers for unusual activity or network traffic," Childs says. While there are no known mitigations for this vulnerability, using a defense-in-depth approach, such as restrictive access and endpoint detection, can help network defenders protect from and remediate attacks as they occur, he notes.
Sean Nikkel, senior cyber threat intel analyst at Digital Shadows, says organizations should prioritize applying the patches that Microsoft has released for ProxyToken and the earlier Exchange vulnerabilities. Though there hasn't been any observed exploit activity yet targeting the newest flaw, it's likely attackers will start going after it soon, he says.
"We've already seen attackers quickly adapt and use earlier exploits such as ProxyLogon and ProxyShell this year, so it only stands to reason that ProxyToken is next in line, especially given factors of no authentication, no user interaction, and no privileges required to make it work," Nikkel says.
Daniel Katz, director of solution engineering at Vulcan Cyber, says organizations that are applying Microsoft's updates for the Exchange flaw need to realize their systems may require a restart later. There are also some known issues within each of these updates, so it’s important to be aware of potential impact when implementing them, he says.
"Organizations with up-to-date operating systems as of the last patch on August 10 should be safe," Katz says.
Organizations that cannot update their Exchange servers immediately should consider implementing Microsoft's instructions for mitigating the vulnerabilities via reconfiguration.
"Microsoft also released an automatic on-premises Exchange Server mitigation now available in Microsoft Defender Antivirus," Katz says. "It’s important to remember that the mitigations suggested are not substitutes for installing the updates, and the patches should be deployed as soon as possible."