The issue was reported to the Zero Day Initiative in March 2021 by researcher Le Xuan Tuyen of VNPT ISC, and it was patched by Microsoft in the July 2021 Exchange cumulative updates.
More specifically, ProxyToken could allow an unauthenticated attacker to perform configuration actions on mailboxes. In terms of impact, the flaw could be abused to copy all emails addressed to a target, and forward them to an attacker-controlled account.
What causes the ProxyToken (CVE-2021-33766) vulnerability?
The flaw stems from a specific feature called Delegated Authentication, which passes authentication requests from the front end to the back end. The requests contain a SecurityToken cookie for identification purposes. If the front end discovers a non-empty cookie titled SecurityToken, it delegates authentication to the back end. It is noteworthy that Microsoft Exchange has to be specifically configured to have the back end perform the authentication, whereas in a default configuration, the DelegatedAuthModule module responsible for that isn’t loaded.
“In summary, when the front end sees the SecurityToken cookie, it knows that the back end alone is responsible for authenticating this request. Meanwhile, the back end is completely unaware that it needs to authenticate some incoming requests based upon the SecurityToken cookie, since the DelegatedAuthModule is not loaded in installations that have not been configured to use the special delegated authentication feature. The net result is that requests can sail through, without being subjected to authentication on either the front or back end,” according to Zero Day Initiative’s report.
The ProxyToken exploit requires the attacker to have an account on the same Exchange server as the victim. The exploit installs a forwarding rule allowing the attacker to read all the victim’s incoming messages.
“On some Exchange installations, an administrator may have set a global configuration value that permits forwarding rules having arbitrary Internet destinations, and in that case, the attacker does not need any Exchange credentials at all. Furthermore, since the entire /ecp site is potentially affected, various other means of exploitation may be available as well,” the report notes.