Microsoft's Message Queuing-MSMQ service, an integral part of the Windows operating system, has been found to harbor a serious security vulnerability.
Identified as CVE-2023-21554 and ranked with a high CVSS score of 9,8, it is a critical threat for cyberattacks, allowing hackers to execute code remotely and without any form of authentication.
This discovery was made by the Check Point Research team, which reported the flaw to Microsoft. Fixed in the April Patch Tuesday update. However, the risk is far from completely eliminated.
MSMQ is a critical piece of the Windows infrastructure – a messaging and development platform designed to build connected, distributed messaging applications. It provides guaranteed message delivery, efficient routing, security, transaction support, and priority-based messaging.
Its flexible capabilities allow applications to communicate across a variety of networks and even with offline computers. But beneath this veneer of usefulness lay a sleeping dragon.
The vulnerability allowed an attacker to exploit the system via TCP port 1801, potentially gaining control of the entire process by simply sending a malicious packet to that port, thereby triggering the vulnerability. The malicious use enables remote code execution without the need for any form of authorization and essentially opened Aeolus' pockets to potential cyber attacks.
“To exploit this vulnerability, an attacker would need to send a specially crafted malicious MSMQ packet to an MSMQ server. This could lead to remote server-side code execution," Microsoft said.
Providing a technical analysis, researcher Zoemurmure developed a Proof-of-Concept (PoC) for exploiting the CVE-2023-21554 flaw. This PoC, by adapting itself to the target machine's IP address, was able to execute a process that caused the mqsvc.exe service process to crash. However, the sneaky nature of the exploit means that there would be no visible dialog information. One could only detect this anomaly through a process monitor, highlighting the stealth with which this vulnerability operates.
A point of code (PoC) has been made available for the CVE-2023-21554 vulnerability, making it imperative that users move quickly to apply fixes.