About

ProxyToken vulnerability on exchange servers

ProxyToken vulnerability for Microsoft Exchange servers was detected and reported back by Vietnam based security researcher Le Xuan Tuyen in March 2021. It is a non-critical vulnerability. It affects Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019. The security gap on the exchange server was detected under the ZeroDay initiative.

The ProxyToken vulnerability has been allocated a CVE-2021-33766, and carries a CVSS score of 7.3. NIST has accorded the vulnerability a non-critical score of 7.5. So, the ProxyToken vulnerability on the Microsoft Exchange servers is a non-critical but HIGH impact vulnerability. The impact is felt at the local mailbox level. Microsoft considers this vulnerability as ‘Information Disclosure Vulnerability’.

This vulnerability affects on-premise Exchange servers. Microsoft takes care of Office 365 or Microsoft 365 offerings for its customers.

What is the ProxyToken vulnerability?

The ProxyToken vulnerability seeks to exploit the communication between the exchange server’s front-end and back-end to read a user’s emails, and subsequently forward all emails of the compromised mailbox to an external email address. The impact of this vulnerability is felt at the individual mailbox level, and there is a chance that all emails of the mailbox can be forwarded to the attacker’s mailbox and compromised.

In the normal scheme of things, the mailbox can be compromised by a user who should also have an account on the same Exchange server. The vulnerability opens up the exchange mailboxes to a user who exists on the same exchange server. In other words, for your company’s Exchange server, a user who pre-exists on the server can read another user’s emails if he was to use the ProxyToken exploit. For example, an administrator could possibly read and forward a CTO’s emails, if both accounts exist on the same exchange server and the administrator knows how to exploit the ProxyToken vulnerability.

For Exchange servers where the Exchange admin has setup a global allow forwarding rule to outside domains or 3rd party domains, the ProxyToken vulnerability will work without the need of having the attacker on the same exchange server or the same exchange server credentials. This sort of global configuration of email forwarding brings heightened risks for the Exchange mailboxes.

You can read more details about the vulnerability and the technical process to attack an exchange mailbox in full details at https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server

At a high level, you can understand the vulnerability in terms of front end, back end and security token on the exchange server. You have the front-end of the exchange like Outlook Web Access that acts like a proxy to the back-end. Requests from the front-end carry a security token and need to be authenticated by the back-end for any transactions on the Exchange server. It is this security token that can be compromised by an attacker who has credentials on the same exchange server.

How can I resolve the ProxyToken vulnerability on exchange server?

Microsoft has already released a security update patch on July 13, 2021. This security patch covers and resolves the ProxyToken vulnerability on Exchange servers. If you follow a pro-active patching schedule, there are chances that your Exchange server may have already been patched with the security update.

  • Cumulative updates 8 and 9 are for the Exchange Server 2019
  • Cumulative update 19 and 20 are for the Exchange Server 2016
  • Cumulative update 23 is for the Exchange Server 2013.

All these updates for the Exchange Servers can be downloaded from the following link on the Microsoft site – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33766

Please follow the instructions for downloading and installing the security updates on the Exchange servers from the Microsoft site.

Conclusion

I will not lose my sleep over the ProxyToken vulnerability on the Exchange 2013, 2016 or 2019 servers. I will apply the cumulative updates released by Microsoft in my next maintenance window and be done with the ProxyToken exploit on the Exchange servers.