ProxyToken Exchange Server Vulnerability [CVE-2021-33766]

CVE number – CVE-2021-33766

It was reported in March 2021 by researcher Le Xuan Tuyen of VNPT ISC, and it was patched by Microsoft in the July 2021 Exchange cumulative updates.

This new high severity flaw known as ProxyToken allows unauthenticated assailants to install a forwarding rule on victims’ mailboxes that forwards incoming emails to their own account, according to a blog post published on 30th August 2021 by Trend Micro’s Zero Day Initiative (ZDI).

This latest vulnerability relates to the ‘Delegated Authentication’ mechanism and impacts deployments in their default configuration.

This particular exploit assumes that the attacker has an account on the same Exchange server as the victim. It installs a forwarding rule that allows the attacker to read all the victim’s incoming mail. On some Exchange installations, an administrator may have set a global configuration value that permits forwarding rules having arbitrary Internet destinations, and in that case, the attacker does not need any Exchange credentials at all. Furthermore, since the entire /ecp site is potentially affected, various other means of exploitation may be available as well.

Further information on this CVE can be found here :-

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33766

You can read the full blog post regarding this here :-

https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: