ProxyToken: Authentication Bypass Vulnerability in On-Premises Microsoft Exchange

Background

On August 30, 2021, Trend Micro’s Zero Day Initiative (ZDI) published a technical blog on CVE-2021-33766, a new vulnerability in Exchange also known as ProxyToken. A threat actor can exploit ProxyToken to bypass authentication on an Exchange Server to make configuration changes, including redirecting e-mails to an account under their control.

ProxyToken was responsibly disclosed to Microsoft in March 2021 by ZDI and patched on April 13, 2021, Exchange security updates. Customers who have applied this patch or later releases are protected against ProxyToken.

CVE ID	CVSS Score V3	CVSS Criticality	Type	Description
CVE-2021-33766	7.5	High	Improper Authentication	Microsoft Exchange Servers contain an information disclosure vulnerability which can allow an unauthenticated attacker to steal email traffic from target.
CVE-2021-26855	9.8	Critical	Remote Code Execution	Microsoft OWA Exchange Control Panel (ECP) Exploit Chain
CVE-2021-26857	7.8	High	Remote Code Execution	Microsoft Unified Messaging Deserialization Vulnerability
CVE-2021-26858	7.8	High	Remote Code Execution	Microsoft OWA Exchange Control Panel (ECP) Exploit Chain
CVE-2021-27065	7.8	High	Remote Code Execution	Microsoft OWA Exchange Control Panel (ECP) Exploit Chain
CVE-2021-31196	7.2	High	Remote Code Execution	Microsoft Exchange Server Vulnerability
CVE-2021-31206	8.0	High	Remote Code Execution	Microsoft Exchange Server Vulnerability
CVE-2021-31207	7.2	High	Security Feature Bypass	Microsoft Exchange Server Security Feature Bypass Vulnerability
CVE-2021-33768	8.0	High	Privilege Escalation	Microsoft Exchange Server Elevation of Privilege Vulnerability
CVE-2021-34473	9.8	Critical	Remote Code Execution	Microsoft Exchange Server Vulnerability
CVE-2021-34523	9.8	Critical	Privilege Escalation	Microsoft Exchange Server Elevation of Privilege Vulnerability

Analysis, Solutions and Recommendations

Going into Labour Day long weekend, the FBI has warned that Ransomware groups are more likely to strike against their targets when they believe IT and Security staff are away on vacation. The industry saw this happen many times this year, including over Memorial Day weekend (JBS Foods hit by REvil), Mother’s Day weekend (Colonial Pipeline hit by DarkSide), and July Fourth weekend (Kaseya VSA REvil Campaign).

With Exchange being increasingly targeted in Ransomware attacks, we strongly recommend ensuring all Exchange is up to date on patches going into this weekend.

This section provides details on the recommendations that Arctic Wolf suggests to mitigate Exchange vulnerabilities and increase visibility on Exchange Servers.

A full listing of Microsoft Exchange build numbers.

Vulnerability Name	CVE(s)	Patched build number(s)	Description
ProxyLogon	CVE-2021-26855 CVE-2021-26857 CVE-2021-26858 CVE-2021-27065	The following Exchange 2019 build numbers or higher: 15.2.792.10 15.2.659.12 15.2.595.8 15.2.529.13 15.2.464.15 15.2.397.11 15.2.330.11 15.2.221.18 The following Exchange 2016 build numbers or higher: 15.1.2176.9 15.1.2106.13 15.1.2044.13 15.1.1979.8 15.1.1913.12 15.1.1847.12 15.1.1779.8 15.1.1713.10 15.1.1591.18 15.1.1531.12 15.1.1466.16 15.1.1415.10 The following Exchange 2013 build numbers or higher: 15.0.1497.12 15.0.1473.6 15.0.1395.12	A threat actor can chain together these vulnerabilities to gain full control of a vulnerable Exchange server and run code with elevated privileges These vulnerabilities have been exploited by multiple threat groups, including nation state ones in large scale campaigns to drop backdoors and ransomware Microsoft released patches for these vulnerabilities on March 3, 2021
ProxyShell	CVE-2021-34473 CVE-2021-34523	Exchange 2019 15.2.858.10 or higher 15.2.792.13 or higher Exchange 2016 15.1.2242.8 or higher 15.1.2176.12 or higher Exchange 2013 15.0.1497.15 or higher	A threat actor can chain together these vulnerabilities to gain full control of a vulnerable Exchange server and run code with elevated privileges These vulnerabilities have been exploited by Ransomware groups to gain initial footholds on Exchange servers Microsoft released patches to address these three vulnerabilities on April 13 and May 11, 2021
ProxyShell	CVE-2021-31207	Exchange 2019 15.2.858.12 or higher 15.2.792.15 or higher Exchange 2016 15.1.2242.10 or higher 15.1.2176.14 or higher Exchange 2013 15.0.1497.18 or higher
ProxyToken	CVE-2021-33766	Exchange 2019 15.2.858.10 or higher 15.2.792.13 or higher Exchange 2016 15.1.2242.8 or higher 15.1.2176.12 or higher Exchange 2013 15.0.1497.15 or higher	A threat actor can exploit ProxyToken to bypass authentication measure on an Exchange Server to make configuration changes, including redirecting e-mails to an account under their control. Not known to be exploited in the wild yet, but believed to be soon Microsoft released patches to address these three vulnerabilities on April 13, 2021
No specific vulnerability name given to these.	CVE-2021-31196 CVE-2021-31206 CVE-2021-33768	Exchange 2019 15.2.922.13 or higher 15.2.858.15 or higher Exchange 2016 15.1.2308.14 or higher 15.1.2242.12 or higher Exchange 2013 15.0.1497.23 or higher	These vulnerabilities do not have technical details shared publicly nor has there been any reported exploitation in the wild A patch was released on July 13, 2021 to address these We recommend upgrading to the July patch directly instead of going to the May security updates.

References

Learn more about Arctic Wolf’s Managed Risk solution or request a demo today.

Adrian Korn

Adrian Korn is a seasoned cyber security professional with 7+ years' experience in cyber threat intelligence, threat detection, and security operations. He currently serves as the Manager of Threat Intelligence Research at Arctic Wolf Labs. Adrian has been a guest speaker on intelligence related topics at numerous conferences around the world, including DEF CON's Recon Village, Hackfest, and the Australian OSINT Symposium.

Continue Reading

Series of curved lines with a web browser icon in the middle.

A Brief History of Cybercrime

© 2024 Arctic Wolf Networks Inc. All Rights Reserved.
Privacy Notice	Terms of Use	Cookie Policy	Accessibility Statement	Information Security	Sustainability Statement	Cookies Settings

SOLUTIONS

INDUSTRIES

Quickly detect, respond, and recover from advanced threats.

Detect and respond to advanced threats targeting your cloud infrastructure and applications.

Discover, assess, and harden your environment against digital risks.

Explore, harden, and simplify your cloud environment against misconfiguration vulnerabilities.

Engage and prepare employees to recognize and neutralize social engineering attacks.

Recover quickly from cyber attacks and breaches, from threat containment to business restoration.

HOW IT WORKS

Delivering security operations outcomes.

Collect, enrich, analyze.

Ecosystem integrations and technology partnerships.

Tailored security expertise and guided risk mitigation.

Security experts proactively protecting you 24×7.

Meet some of the security experts working alongside you and your team.

TRENDING RESOURCES

Understanding ransomware — from its origins to its impacts to the TTPs that allow ransomware gangs to exploit victim organizations and make off with millions in ransom payments and extortion fees.

The elite security researchers, data scientists, and security developers of Arctic Wolf Labs share forward-thinking insights along with practical guidance you can apply to protect your organization.

Learn how our Concierge Security® and Triage Security Teams help end cyber risk.

SECURITY BULLETINS

CVE-2024-3400: Follow Up: Patches Released for Actively Exploited Critical Vulnerability in GlobalProtect Feature of PAN-OS

CVE-2024-26234 for Windows and CVE-2024-29053 for Defender for IOT highlighted in Microsoft’s April 2024 Patch Tuesday

CVE-2024-3400: Critical Vulnerability in GlobalProtect Feature of PAN-OS being Actively Exploited

COMPANY

< BACK TO BLOG