[TheRecord] ProxyToken vulnerability can modify Exchange server configs

If the ProxyShell vulnerability wasn’t enough of a good reason for system administrators to apply the July 2020 Microsoft Exchange security updates, there is a second major security bug in those updates that can allow for devastating hacks.

Nicknamed ProxyToken, the vulnerability allows a remote attacker to bypass authentication and make changes to an Exchange email server’s backend configuration.

Discovered by Le Xuan Tuyen, a Vietnamese security researcher with VNPT ISC, the ProxyToken vulnerability could be used to surreptitiously add an email forwarding rule to a user’s mailbox so that all emails addressed to the victim will also be sent to an account controlled by the attacker.

Reported through the Zero-Day Initiative program, Le says the vulnerability exists because of two issues in the Exchange code:

Requests that contain a non-empty cookie named “SecurityToken” that are redirected from the frontend to the backend are not authenticated.HTTP 500 error responses expose an Exchange control panel canary token.

By combining the two, Le says a ProxyToken attack is possible and that attackers can easily make requests to any part of the Exchange backend, including its users’ control panels and settings.

Reported in April, the bug was fixed with the July 2021 Patch Tuesday security updates under the CVE-2021-33766 identifier.

Since details about this attack are expected to go live later today on the Zero-Day Initiative blog, server owners should expect threat actors to weaponize this vector.

This is exactly what happened last month when attacks against Exchange servers took off after details about the ProxyShell vulnerability were published online. Those attacks quickly escalated in a matter of days and today, a new ransomware operation known as LockFile is abusing Exchange servers to encrypt corporate networks.

The post ProxyToken vulnerability can modify Exchange server configs appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

Daily NCSC-FI news followup 2019-08-07

SWAPGS Vulnerability in Modern CPUs Fixed in Windows, Linux, ChromeOS www.bleepingcomputer.com/news/security/swapgs-vulnerability-in-modern-cpus-fixed-in-windows-linux-chromeos/ At BlackHat today, Bitdefender disclosed a new variant of the Spectre 1 speculative execution side channel vulnerabilities that could allow a malicious program to access and read the contents of privileged memory in an operating system.. In a statement from Intel, BleepingComputer was told […]

Read More

[ESET] Week in security with Tony Anscombe

All posts, ESET feed

ESET unmasks FamousSparrow APT group – Stopping cloud data leaks – European cybercrime ring busted The post Week in security with Tony Anscombe appeared first on WeLiveSecurity Source: Read More (WeLiveSecurity)

Read More

[TheRecord] SFile (Escal) ransomware ported for Linux attacks

The operators of the SFile ransomware, also known as Escal, have ported their malware to work and encrypt files on Linux-based operating systems. Attacks with this new Linux variant were spotted late last year, Chinese security firm Rising said in a report last week, confirmed by The Record with MalwareHunterTeam, one of the people behind the ID-Ransomware project. […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.