New 'ProxyToken' Exchange Server vulnerability disclosed

The Exchange Server vulnerability could allow an attacker 'to copy all emails addressed to a target and account and forward them to an account controlled by the attacker.'

A new flaw in Microsoft Exchange Server, known as "ProxyToken," was disclosed Monday, marking the third "proxy" vulnerability this year.

The authentication bypass vulnerability, which has an identifier of CVE-2021-33766, was published by Zero Day Initiative (ZDI), Trend Micro's vendor-agnostic bug bounty and vulnerability disclosure program. It was reported to the program in March by researcher Le Xuan Tuyen with Vietnamese telecom company VNPT ISC, and was patched by Microsoft as part of its July cumulative updates for Exchange server.

Through ProxyToken (a name coined by ZDI), a threat actor could  "perform configuration actions on mailboxes belonging to arbitrary users" in an Exchange server, according to the ZDI blog post disclosing the flaw. In one example provided by the blog, "this can be used to copy all emails addressed to a target and account and forward them to an account controlled by the attacker."

CVE-2021-33766 has a Common Vulnerability Scoring System (CVSS) rating of 7.3, which places it in the category of a high (but not critical) severity vulnerability. For comparison, two of the three ProxyShell vulnerabilities are considered critical severity, as is ProxyLogon (CVE-2021-26855).

The vulnerability's page on the Microsoft Security Response Center lists its exploit code maturity as "unproven," meaning that reported exploits are either nonexistent or theoretical. Microsoft did not respond to SearchSecurity's inquiry about evidence of exploitation. Instead, a spokesperson provided the following statement: "A security update was released in July. Customers who apply the update, or have automatic updates enabled, will be protected."

ProxyToken is capable of remote code execution under certain conditions. The exploit details provided by ZDI assume that the threat actor has an account on the same server as the victim, but depending on administrator settings, arbitrary execution is possible.

"On some Exchange installations, an administrator may have set a global configuration value that permits forwarding rules having arbitrary Internet destinations, and in that case, the attacker does not need any Exchange credentials at all," the post reads. "Furthermore, since the entire /ecp [Exchange Control Panel] site is potentially affected, various other means of exploitation may be available as well."

ProxyToken continues the six-month string of serious Exchange Server vulnerabilities brought to light by security researchers. In March, ProxyLogon was disclosed and patched along with three closely related vulnerabilities that led to a mass exploitation of on-premises Exchange servers. And on Aug. 5, ProxyShell was discussed at Black Hat and Def Con by Devcore researcher Orange Tsai, who also discovered the ProxyLogon flaws. Despite patches being available for ProxyShell, exploitation of the chained vulnerabilities began soon after the presentations.

Orange Tsai called ProxyLogon "the tip of the iceberg" during his presentations and encouraged security researchers to examine the software for more proxy-related flaws. ZDI apparently agreed. "Exchange Server continues to be an amazingly fertile area for vulnerability research," the blog post said. "This can be attributed to the product's enormous complexity, both in terms of feature set and architecture."

In other Microsoft vulnerability news, a critical flaw in Azure Cosmos DB was disclosed last Thursday. Nir Ohfeld and Sagi Tzadik, security researchers at Wiz, explained in their disclosure how they were able to gain unrestricted access into Azure customers like Coca-Cola and Exxon Mobil.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Application and platform security