A new flaw in Microsoft Trade Server, identified as “ProxyToken,” was disclosed Monday, marking the third “proxy” vulnerability this year.
The authentication bypass vulnerability, which has an identifier of CVE-2021-33766, was published by Zero Day Initiative (ZDI), Pattern Micro’s vendor-agnostic bug bounty and vulnerability disclosure software. It was noted to the software in March by researcher Le Xuan Tuyen with Vietnamese telecom organization VNPT ISC, and was patched by Microsoft as element of its July cumulative updates for Trade server.
Via ProxyToken (a identify coined by ZDI), a risk actor could “complete configuration steps on mailboxes belonging to arbitrary buyers” in an Trade server, according to the ZDI blog site post disclosing the flaw. In just one case in point presented by the blog site, “this can be employed to copy all e-mail tackled to a target and account and forward them to an account controlled by the attacker.”
CVE-2021-33766 has a Common Vulnerability Scoring Method (CVSS) rating of 7.three, which areas it in the class of a high (but not crucial) severity vulnerability. For comparison, two of the a few ProxyShell vulnerabilities are thought of crucial severity, as is ProxyLogon (CVE-2021-26855).
The vulnerability’s site on the Microsoft Safety Reaction Middle lists its exploit code maturity as “unproven,” this means that noted exploits are both nonexistent or theoretical. Microsoft did not reply to SearchSecurity’s inquiry about proof of exploitation. Rather, a spokesperson presented the pursuing assertion: “A safety update was launched in July. Prospects who apply the update, or have automatic updates enabled, will be secured.”
ProxyToken is able of distant code execution under certain conditions. The exploit information presented by ZDI assume that the risk actor has an account on the similar server as the victim, but depending on administrator options, arbitrary execution is doable.
“On some Trade installations, an administrator may perhaps have set a global configuration worth that permits forwarding regulations obtaining arbitrary Internet places, and in that situation, the attacker does not need any Trade qualifications at all,” the post reads. “In addition, due to the fact the full /ecp [Trade Manage Panel] web-site is potentially impacted, many other signifies of exploitation may perhaps be obtainable as perfectly.”
ProxyToken continues the 6-thirty day period string of significant Trade Server vulnerabilities brought to gentle by safety researchers. In March, ProxyLogon was disclosed and patched together with a few closely related vulnerabilities that led to a mass exploitation of on-premises Trade servers. And on Aug. five, ProxyShell was reviewed at Black Hat and Def Con by Devcore researcher Orange Tsai, who also uncovered the ProxyLogon flaws. Inspite of patches currently being obtainable for ProxyShell, exploitation of the chained vulnerabilities commenced shortly just after the displays.
Orange Tsai referred to as ProxyLogon “the suggestion of the iceberg” for the duration of his displays and encouraged safety researchers to take a look at the program for more proxy-related flaws. ZDI evidently agreed. “Trade Server continues to be an amazingly fertile region for vulnerability analysis,” the blog site post mentioned. “This can be attributed to the product’s enormous complexity, both equally in phrases of element set and architecture.”
In other Microsoft vulnerability information, a crucial flaw in Azure Cosmos DB was disclosed previous Thursday. Nir Ohfeld and Sagi Tzadik, safety researchers at Wiz, defined in their disclosure how they were being in a position to get unrestricted access into Azure buyers like Coca-Cola and Exxon Mobil.
Alexander Culafi is a writer, journalist and podcaster based in Boston.