Read time 2 minutes

After discovering various sensitive faultiness in Exchange Server, some information has arrived about a new security vulnerability. This issue is termed as ‘ProxyToken‘ with two identifiers – CVE-2021-33766 and ZDI-CAN-13477.

By exploiting this vulnerability, an external attacker or hacker can change the configuration of Exchange mailboxes. It can be used to copy the email address from the account and paste them to the attacker’s account. It was a severe threat that Microsoft has rectified in July 2021.

The ProxyToken flaw was reported by researcher Le Xuan Tuyen of the Information Security Center of Vietnam Posts and Telecommunications Group (VNPT-ISC). He says that due to the design structure of the Exchange Server, the attacker can gain an entry.

Exchange Server creates two sites in the IIS server. The first website is front-end, which the user connects with HTTP and HTTPS connections. The users access Exchange through this front-end website. Actually, the front-end website is just a proxy site that validates the connection and allows to move into the secondary main site.

Sometimes, a flaw in the ‘Delegated Authentication‘ can bypass the usual first front site and directly go to the main site. The hackers use this flaw to enter Exchange and copy the data of mailboxes.

Now, Microsoft has rectified the flaw and removed such vulnerability. Let’s hope that there are no longer such fault lines in the environment of the Exchange Server.

Kernel for Exchange Server