New Microsoft Exchange ‘ProxyToken’ Vulnerability Allows Attackers to Alter Mailbox Configurations

Details have surfaced regarding a recently patched security flaw in Microsoft Exchange Server that could be exploited by unauthenticated attackers to change server settings, potentially exposing Personally Identifiable Information (PII). The vulnerability, identified as CVE-2021-33766 (CVSS score: 7.3) and referred to as “ProxyToken,” was found by Le Xuan Tuyen, a researcher at the Information Security Center of Vietnam Posts and Telecommunications Group (VNPT-ISC), and reported through the Zero-Day Initiative (ZDI) program in March 2021. According to the ZDI, “With this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users.” For instance, the attacker could redirect all emails sent to a targeted account to a mailbox they control. Microsoft addressed this issue in its Patch Tuesday updates for July 2021.

New Vulnerability in Microsoft Exchange Server Exposes Mailbox Configurations

August 31, 2021

A critical security flaw, now patched, has been identified in Microsoft Exchange Server, raising significant concerns for businesses relying on this platform for email communication. This vulnerability allows unauthenticated attackers to alter server configurations, potentially leading to the exposure of Personally Identifiable Information (PII). Designated as CVE-2021-33766, commonly referred to as “ProxyToken,” this issue presents a serious risk for organizations, particularly those unaware of its existence prior to recent updates.

The vulnerability was discovered by Le Xuan Tuyen, a researcher affiliated with the Information Security Center of Vietnam Posts and Telecommunications Group (VNPT-ISC), and it was reported through the Zero-Day Initiative (ZDI) program in March 2021. With a CVSS score of 7.3, the flaw permits malicious actors to perform unauthorized configuration actions on mailboxes belonging to any user within the server’s environment.

According to the ZDI’s report, the implications of this vulnerability are alarmingly extensive. It enables attackers to access all emails directed to a targeted account and redirect them to a mailbox under their control. This breach of confidentiality could jeopardize sensitive company information and the privacy of individual employees, amplifying the repercussions for impacted organizations.

Microsoft addressed this vulnerability as part of its July 2021 Patch Tuesday updates, prompting businesses to prioritize immediate implementation of security updates to safeguard their server environments. Failure to apply these patches could leave organizations exposed to potential exploitation tactics commonly outlined in the MITRE ATT&CK framework.

In this context, the attackers may employ a range of tactics categorized under the MITRE ATT&CK Matrix, including initial access through exploitation of vulnerabilities, persistence via ongoing access to mailboxes, and privilege escalation as they navigate server configurations to extend their control. Each of these tactics could significantly enhance an adversary’s ability to disrupt operations or harvest sensitive data.

Organizations utilizing Microsoft Exchange Server must remain vigilant and proactive in their cybersecurity posture. Regular updates, employee training on recognizing phishing attempts, and monitoring for unusual account activity are critical measures that can help mitigate the risks posed by such vulnerabilities. Moreover, understanding the mechanics of attacks, as guided by the MITRE ATT&CK framework, can empower business owners to fortify their defenses against ever-evolving cyber threats.

As the landscape of cybersecurity continues to shift, incidents like the ProxyToken vulnerability serve as a crucial reminder of the importance of maintaining robust security practices. Business owners are encouraged to stay informed about developments in cybersecurity to better protect their operations from potential attacks.

Source link

Related Posts

How to Address the Microsoft Print Spooler Vulnerability: Understanding PrintNightmare

Published on July 8, 2021

Recently, the PrintNightmare vulnerability in Microsoft’s Print Spooler (CVE-2021-34527) was escalated from ‘Low’ to ‘Critical’ severity. This change follows the release of a Proof of Concept on GitHub, which attackers might exploit to gain access to Domain Controllers. Although Microsoft issued a patch in June 2021, it fell short in preventing further exploits, as the Print Spooler feature remains accessible for remote connections. This article provides crucial insights into the vulnerability and offers guidance on mitigation strategies.

Overview of Print Spooler: The Print Spooler is a Microsoft service responsible for managing and monitoring print jobs. It is one of the oldest components in the Microsoft ecosystem and has seen minimal updates since its inception. By default, this service is enabled on all Microsoft devices, including servers and endpoints.

Understanding the PrintNightmare Vulnerability: Once an attacker achieves limited user access, they can exploit the Print Spooler to escalate privileges…

Critical Security Vulnerabilities Identified in Sage X3 Enterprise Management Software

Published: July 8, 2021

Recent research has revealed four significant security vulnerabilities in Sage X3’s enterprise resource planning (ERP) software. Two of these vulnerabilities can potentially be combined to facilitate an attack, allowing malicious actors to execute harmful commands and gain control over compromised systems. These issues were identified by researchers at Rapid7, who reported their findings to Sage Group on February 3, 2021. In response, the company has released patches for various versions of Sage X3, including Version 9 (Syracuse 9.22.7.2), Sage X3 HR & Payroll Version 9 (Syracuse 9.24.1.3), Version 11 (Syracuse 11.25.2.6), and Version 12 (Syracuse 12.10.2.8) in March. The identified vulnerabilities include:

  • CVE-2020-7388 (CVSS score: 10.0): Unauthenticated Remote Command Execution (RCE) as SYSTEM in the AdxDSrv.exe component.
  • CVE-2020-7389 (CVSS score: 5.5): System “CHAINE” Variable Script Command Injection (No fix planned).

Significant Vulnerabilities Identified in Philips Vue PACS Medical Imaging Systems

Date: July 9, 2021

A series of security vulnerabilities have been revealed in the Philips Clinical Collaboration Platform Portal (commonly known as Vue PACS). Some of these vulnerabilities could potentially be exploited by malicious actors to gain control over affected systems. According to a warning from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), “Successful exploitation of these vulnerabilities could allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorized software, or compromise system data integrity, thereby threatening the confidentiality, integrity, or availability of the system.”

These 15 vulnerabilities affect the following systems:

  • VUE Picture Archiving and Communication Systems (versions 12.2.x.x and earlier)
  • Vue MyVue (versions 12.2.x.x and earlier)
  • Vue Speech (versions 12.2.x.x and earlier)
  • Vue Motion (versions 12.2.1.5 and earlier)

Notably, four specific issues (CVE-2020-1938, CVE-2018-12326, CVE-2018-11218, CVE-2020-4670, and CVE-2018-8014) have been assigned a Critical rating.

Urgent: Critical RCE Vulnerability in ForgeRock Access Manager Under Active Exploitation

Cybersecurity agencies in Australia and the U.S. are sounding the alarm about a serious vulnerability in ForgeRock’s OpenAM access management system, which is being actively exploited to execute remote code on compromised systems. The Australian Cyber Security Centre (ACSC) has reported that threat actors are leveraging this flaw to infiltrate multiple hosts, deploying additional malware and tools. However, details regarding the nature and scope of the attacks, as well as the identities of the perpetrating actors, remain undisclosed.

Identified as CVE-2021-35464, this vulnerability is a pre-authentication remote code execution (RCE) flaw linked to unsafe Java deserialization in the Jato framework used by ForgeRock Access Manager. Exploiting this vulnerability allows attackers to execute commands within the context of the current user rather than as a root user.