[TheRecord] ProxyToken vulnerability can modify Exchange server configs

If the ProxyShell vulnerability wasn’t enough of a good reason for system administrators to apply the July 2020 Microsoft Exchange security updates, there is a second major security bug in those updates that can allow for devastating hacks.

Nicknamed ProxyToken, the vulnerability allows a remote attacker to bypass authentication and make changes to an Exchange email server’s backend configuration.

Discovered by Le Xuan Tuyen, a Vietnamese security researcher with VNPT ISC, the ProxyToken vulnerability could be used to surreptitiously add an email forwarding rule to a user’s mailbox so that all emails addressed to the victim will also be sent to an account controlled by the attacker.

Reported through the Zero-Day Initiative program, Le says the vulnerability exists because of two issues in the Exchange code:

Requests that contain a non-empty cookie named “SecurityToken” that are redirected from the frontend to the backend are not authenticated.HTTP 500 error responses expose an Exchange control panel canary token.

By combining the two, Le says a ProxyToken attack is possible and that attackers can easily make requests to any part of the Exchange backend, including its users’ control panels and settings.

Reported in April, the bug was fixed with the July 2021 Patch Tuesday security updates under the CVE-2021-33766 identifier.

Since details about this attack are expected to go live later today on the Zero-Day Initiative blog, server owners should expect threat actors to weaponize this vector.

This is exactly what happened last month when attacks against Exchange servers took off after details about the ProxyShell vulnerability were published online. Those attacks quickly escalated in a matter of days and today, a new ransomware operation known as LockFile is abusing Exchange servers to encrypt corporate networks.

The post ProxyToken vulnerability can modify Exchange server configs appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ZDNet] Brazilian National Treasury hit with ransomware attack

All posts, ZDNet

Assessments so far did not find damage to key systems, according to the government. Source: Read More (Latest topics for ZDNet in Security)

Read More

[HackerNews] Beef Supplier JBS Paid Hackers $11 Million Ransom After Cyberattack

All posts, HackerNews

Meat processing company JBS on Wednesday confirmed it paid extortionists $11 million in bitcoins to regain access to its systems following a destructive ransomware attack late last month. “In consultation with internal IT professionals and third-party cybersecurity experts, the company made the decision to mitigate any unforeseen issues related to the attack and ensure no […]

Read More

Daily NCSC-FI news followup 2020-06-19

FEMA IT Specialist Charged in ID Theft, Tax Refund Fraud Conspiracy krebsonsecurity.com/2020/06/fema-it-specialist-charged-in-id-theft-tax-refund-fraud-conspiracy/ An information technology specialist at the Federal Emergency Management Agency (FEMA) was arrested this week on suspicion of hacking into the human resource databases of University of Pittsburgh Medical Center (UPMC) in 2014, stealing personal data on more than 65,000 UPMC employees, and […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.