On the 30th August 2021, it was reported by Ravie Lakshmanan of the thehackernews, concerning a vulnerability within Microsoft Exchange, whereby a researcher by the name Le Xuan Tuyen at the information security Centre of Vietnam Posts and Telecommunications Group found a security vulnerability affecting the Microsoft Exchange Server that could be deployed by an unauthenticated attacker to redesign server configurations, whereby, this can lead to the disclosure of Personally Identifiable Information (PII).
An unauthenticated attacker can reconfigure mailboxes belonging to random users. Due to the impact, this can be used to duplicate emails addressed to a target and account and forward them to an account controlled by the attacker.
How it works
Due to the severity of this vulnerability, an attacker can perform configurations measures on mailboxes belonging to random users. The security flaw resides in a feature called Delegation Authentication, which entails a tool that allows the front-end websites of the Outlook web access (OWA) to pass authentication requests directly to the back end when a security token cookie is detected. However, since the Exchange has to be precisely configured to use the attribute and have the back-end carry out the checks, this can lead to a scenario in which the module handling this delegation (DelegatedAuthModule) isnt loaded under default configuration which leads to a bypass since the back end fails to authenticate incoming request based on Security Token cookies.
For further information on this vulnerability, kindly follow the URL:
To safeguard against such attacks, Microsoft is recommending that users use its Patch Tuesday updates from July 2021. Updates can be found at the following URL:
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: New Microsoft Exchange Proxy Token Vulnerability.pdf
New Microsoft exchange proxy token flaw alert (31st August 2021). Retrieved from Cyber Intel.
New Microsoft exchange proxy token flaw alert (13th July 2021). Retrieved from thehackernews.