[German]In the April 2021 cumulative updates, Microsoft fixed a vulnerability in its on-premises Exchange servers that allowed attackers to change configuration without authentication. This would have allowed an unauthenticated attacker to change the configuration for mailboxes of arbitrary users. This would have allowed all emails addressed to an email account to be copied and forwarded to an account controlled by the attacker.
The vulnerability, called ProxyToken CVE-2021-33766, which has a CVE score of 6.5, was discovered by Le Xuan Tuyen, a Vietnamese security researcher at VNPT ISC. The latter then reported the whole thing via the ZeroDay initiative, as can be seen from the following tweet.
The ZDI blog post describes the vulnerability in more detail. Microsoft Exchange creates two websites in IIS, a frontend and a backend.
- Front end: This is the default website that listens on ports 80 for HTTP and 443 for HTTPS and to which all clients connect for web access (OWA, ECP) and outbound web services.
- Back end: The "Exchange Back End" monitors ports 81 for HTTP and 444 for HTTPS.
The front end acts as a proxy that passes requests to the back end. To enable access that requires form authentication, the front end provides pages such as /owa/auth/logon.aspx for authentication. For all requests after authentication, the frontend's main task is to repackage the requests and forward them to the appropriate endpoints on the Exchange backend site. It then collects the responses from the back-end and forwards them to the client.
Problem is, Exchange supports a feature called "delegated authentication" for cross-forest topologies. In such deployments, the front end is not able to make authentication decisions on its own. Instead, the front end forwards requests directly to the back end and relies on the back end to determine whether the request is properly authenticated. These requests, which should be authenticated using back-end logic, are identified by the presence of a SecurityToken cookie.
Now, the security researcher has found constellations where the front end uses the SecurityToken cookie to leave the authentication of this request to the back end. However, in certain situations, the back end does not know that it needs to authenticate some incoming requests based on the SecurityToken cookie because the DelegatedAuthModule is not loaded in installations that have not been configured to use the special delegated authentication feature. The result is that requests can go through without being subjected to authentication on the front or back end.
The bottom line is that an unauthenticated attacker could have changed the configuration of any user's mailboxes and had their mail forwarded to an account controlled by the attacker. However, this assumes that the attacker has control over the target account on the Exchange Server. The more complex details can be read in the ZDI blog post. The vulnerability was reported to ZDI in March 2021 by security researcher Le Xuan Tuyen, who passed it on to Microsoft.
The vulnerability was then closed, according to ZDI, by the Exchange CUs (Cumulative Updates) in June 2021. Microsoft did not provide details in the relevant support articles (see my blog post Cumulative Exchange CUs June 2021 released).
However, there is this comment from Microsoft employee Nino Bilic, who points out that CVE-2021-33766 was already fixed in April 2021. The vulnerability once again underlines the importance of keeping one's Exchange Server installations up to date with the latest patches.
Security updates for Exchange Server (July 2021)
Cumulative Exchange CUs June 2021 released
Exchange Server Security Update KB5001779 (April 13, 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange security updates from July 2021 breaks ECP and OWA
Exchange 2016/2019: Outlook problems due to AMSI integration
Wave of attacks, almost 2,000 Exchange servers hacked via ProxyShell
Exchange Server 2016-2019: Custom attributes in ECP no longer updatable after CU installation (July 2021)
Cookies helps to fund this blog: Cookie settings