Proxy server vulnerability messing up with Exchange Server config

Devata Rohan

August 30, 2021

The system administrators thought ProxyShell vulnerability isn't a good reason to apply the July 2020 Microsoft Exchange security updates, but apparently, they found a second major security bug, nicknamed PROXYTOKEN. This vulnerability allows the attacker to bypass all the security authentications easily and make changes to the backend configuration of the Exchange email server. It can also be used to clandestinely add an email forwarding rule to a user's mailbox, and with this, all the emails addressed to the victim will also be sent to an account handled by the attacker. This bug was discovered by a Vietnamese researcher named Le Xuan Tuyen. In the event of the Zero-Day Initiative Program, Le said that this bug existed for two reasons. Those are requests containing non-empty cookies named "securityToken" being redirected from frontend to backend are not authenticated, and HTTP 500 responses expose an exchange control panel canary token. With these two reasons, ProxyToken attacks can be made possible, and attackers can easily request any backend part. According to the reports, this bug was reported in April and been fixed in July under the CVE-2021-33766 identifier. So this is what happened last month when attacks against the Exchange server took off after the details about the vulnerability were published online. These matters escalated within a few days, and today we are again introduced to a new ransomware operation known as LockFile, which abuses exchange servers to encrypt corporate networks.

Abridged fromThe Record Media