Microsoft Exchange Proxy Token: Backend access without authentication

In April, another, previously unknown loophole in the Microsoft Exchange server was closed. The proxy token cleverly bypasses the authorization to access the structure of the Exchange account. The attacker can use it to redirect incoming mail from the Exchange user to another account.

When using a proxy token space, the attacker plays the exchange front end and back end against each other. To do this, mark the front node with a special cookie SecurityTokenThe backend will be ready for recognition. This is a function for logging into complex exchange installations (“Authorized Authorization” in cross-forest topography).

You take it and I will definitely get it

Unfortunately, in standard configuration, the backend does not support the required DelegatedAuthModule module, instead the front page assumes that it is already authenticated. As a result, the attacker can send his configuration change to the backend without login data.

The gap was discovered by Vietnamese security researcher Le Xuan Tuyen, who reported to ZDI. These describe A blog post The basic problem is now more precise. They also explain that if the attacker has an account on the same server and he can send mail, the current exploit will only work in the default settings.

Poorly documented

Microsoft already has the CVE-2021-33766 vulnerability April updates for the exchange Closed. But they did not add the note to the document until August 24th. He also talks about “information exposure vulnerabilities on the Microsoft Exchange server” without further details. The ZDI article currently states that the gap will be closed with the July updates. But a Microsoft employee contradicts him Clarify which CVEs are fixed in which CU desire

Microsoft’s patch policy for the Exchange has already received a lot of criticism. Poorly documented or undocumented security connections unnecessarily complicate the work of administrators. Inseparable confusion between overall updates, which can lead to repeated changes in operation and clean security updates and ultimately insecure transfer servers. One can get the impression that Microsoft emotionally accepts this so that frustrated customers can finally switch to their Microsoft 365 Cloud offer.

(Ju)