{"id":42394,"date":"2021-08-31T11:12:06","date_gmt":"2021-08-31T11:12:06","guid":{"rendered":"http:\/\/icloud.pe\/blog\/?guid=c8bd55479396ea3fd4456c5ed13df90d"},"modified":"2021-08-31T11:12:06","modified_gmt":"2021-08-31T11:12:06","slug":"microsoft-exchange-server-flaw-lets-attackers-misconfigure-mailboxes","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/microsoft-exchange-server-flaw-lets-attackers-misconfigure-mailboxes\/","title":{"rendered":"Microsoft Exchange Server flaw lets attackers misconfigure mailboxes"},"content":{"rendered":"<p><span class=\"field field-name-field-author field-type-node-reference field-label-hidden\"><br \/>\n      <span class=\"field-item even\"><a href=\"https:\/\/www.cloudpro.co.uk\/authors\/keumars-afifi-sabet-0\">Keumars Afifi-Sabet<\/a><\/span><br \/>\n  <\/span><\/p>\n<div class=\"field field-name-field-published-date field-type-datetime field-label-hidden\">\n<div class=\"field-items\">\n<div class=\"field-item even\"><span class=\"date-display-single\">31 Aug, 2021<\/span><\/div>\n<\/p><\/div>\n<\/div>\n<p class=\"short-teaser\">\n<a href=\"https:\/\/www.cloudpro.co.uk\/\" title=\"\" class=\"combined-link\"><\/a><\/p>\n<div class=\"field field-name-body\">\n<p>A now-patched vulnerability in Microsoft Exchange Server, dubbed ProxyToken, could be abused by an unauthenticated attacker to perform configuration actions on targeted mailboxes.<\/p>\n<p>This latest flaw in the beleaguered platform is tracked as CVE-2021-33766 and is rated 7.3 out of ten on the threat severity scale, and might give rise to the disclosure of personal information if abused.<\/p>\n<p><!--wysiwyg_see-related_plugin--><\/p>\n<p>\nA hypothetical example of exploitation,\u00a0<a href=\"https:\/\/www.zerodayinitiative.com\/blog\/2021\/8\/30\/proxytoken-an-authentication-bypass-in-microsoft-exchange-server\" >according to researchers with the Zero Day Initiative<\/a>, could lead to an attacker copying all email addresses on a targeted account and forwarding them to an account controlled by the attacker.\u00a0\u00a0<\/p>\n<p>The flaw lies in the Delegated Authentication feature, a mechanism in which the front-end site passes authentication requests to the back-end system when it detects the presence of a SecurityToken cookie.<\/p>\n<p>Because Microsoft Exchange needs to be specifically configured to use the feature and have the backend carry out checks, the module that handles this delegation isn\u2019t loaded under a default configuration.\u00a0<\/p>\n<p>This leads to a bypass as the back-end fails to authenticate incoming requests based on the SecurityToken cookie. The back-end will be completely unaware that it needs to authenticate incoming requests, which means requests can sail through without being subject to authentication on either the front or back-end systems.<\/p>\n<p>Microsoft\u00a0<a href=\"https:\/\/www.itpro.co.uk\/security\/exploits\/360411\/top-30-most-exploited-vulnerabilities-since-2020-revealed\" >patched this vulnerability<\/a>\u00a0as part of its Patch Tuesday round of fixes for July, with no evidence so far that hackers have exploited it.<\/p>\n<p>Businesses will be put on high alert in light of the existence of another Microsoft Exchange Server flaw, however, following the supply-chain attack earlier in the year.\u00a0<\/p>\n<p>Hackers linked with the Chinese state\u00a0<a href=\"https:\/\/www.itpro.co.uk\/security\/zero-day-exploit\/358760\/microsoft-exchange-zero-day-hack\" >exploited four flaws in the platform to launch a series of attacks<\/a>\u00a0against potentially hundreds of thousands of victims in March, according to security researchers.<\/p>\n<p>The incident was one of many similar supply-chain attacks during 2021, including\u00a0<a href=\"https:\/\/www.itpro.co.uk\/security\/cyber-attacks\/358738\/intern-blamed-for-weak-password-that-may-have-sparked-solarwinds\" >the infamous SolarWinds hack<\/a>\u00a0towards the end of last year. <\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>      Keumars Afifi-Sabet<\/p>\n<p>        31 Aug, 2021    <\/p>\n<p>      A now-patched vulnerability in Microsoft Exchange Server, dubbed ProxyToken, could be abused by an unauthenticated attacker to perform configuration actions on targeted mailboxes.<br \/>\nThis la&#8230;<\/p>\n","protected":false},"author":433,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-42394","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/42394","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/users\/433"}],"replies":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/comments?post=42394"}],"version-history":[{"count":1,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/42394\/revisions"}],"predecessor-version":[{"id":42395,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/42394\/revisions\/42395"}],"wp:attachment":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/media?parent=42394"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/categories?post=42394"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/tags?post=42394"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}