ProxyToken vulnerability can modify Exchange server configs
Image: Sigmund
Catalin Cimpanu August 30, 2021

ProxyToken vulnerability can modify Exchange server configs

ProxyToken vulnerability can modify Exchange server configs

If the ProxyShell vulnerability wasn’t enough of a good reason for system administrators to apply the July 2020 Microsoft Exchange security updates, there is a second major security bug in those updates that can allow for devastating hacks.

Nicknamed ProxyToken, the vulnerability allows a remote attacker to bypass authentication and make changes to an Exchange email server’s backend configuration.

Discovered by Le Xuan Tuyen, a Vietnamese security researcher with VNPT ISC, the ProxyToken vulnerability could be used to surreptitiously add an email forwarding rule to a user’s mailbox so that all emails addressed to the victim will also be sent to an account controlled by the attacker.

Reported through the Zero-Day Initiative program, Le says the vulnerability exists because of two issues in the Exchange code:

  • Requests that contain a non-empty cookie named “SecurityToken” that are redirected from the frontend to the backend are not authenticated.
  • HTTP 500 error responses expose an Exchange control panel canary token.

By combining the two, Le says a ProxyToken attack is possible and that attackers can easily make requests to any part of the Exchange backend, including its users’ control panels and settings.

Reported in April, the bug was fixed with the July 2021 Patch Tuesday security updates under the CVE-2021-33766 identifier.

Since details about this attack are expected to go live later today on theĀ Zero-Day Initiative blog, server owners should expect threat actors to weaponize this vector.

This is exactly what happened last month when attacks against Exchange servers took off after details about the ProxyShell vulnerability were published online. Those attacks quickly escalated in a matter of days and today, a new ransomware operation known as LockFile is abusing Exchange servers to encrypt corporate networks.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.