Caution! RCE vulnerability in the Microsoft Message Queuing (MSMQ) service

Check Point Research recently discovered three vulnerabilities in the “Microsoft Message Queuing” service, commonly known as MSMQ. Microsoft was aware of these and fixed them in the patch April Patch Tuesday.

The most serious of these vulnerabilities, named QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthorized attackers to execute from distance arbitrary code within the Windows service process mqsvc.exe.

hacker

Check Point Research (CPR) blogs about the issue after patching to raise awareness of this critical vulnerability and provide defensive information and mitigation recommendations for Windows users. We will release the full technical details later this month, giving users time to patch their machines before we publicly reveal the technical details.

Key findings

Three vulnerabilities were discovered in the MSMQ service, which were fixed in the patch April Patch Tuesday:

  • CVE-2023-21554 (QueueJumper) — Unauthorized, remote code execution
  • CVE-2023-21769 — Unauthorized, remote Application Level DoS (disruption of service)
  • CVE-2023-28302 — Unauthorized, remote Kernel Level DoS (Windows BSOD)

The most significant vulnerability allows unauthorized attackers to execute arbitrary code within the Windows service process, mqsvc.exe.

MSMQ is provided as an optional component of Windows and is still available on all Windows operating systems, including the latest Windows Server 2022 and Windows 11

MSMQ

According to Microsoft, Microsoft Message Queuing (“MSMQ” for short),

“is a messaging infrastructure and development platform for building distributed, loosely coupled messaging applications for the Microsoft® Windows® operating system. Message Queuing applications can use the Message Queuing infrastructure to communicate between heterogeneous networks and with computers that may be offline. Message Queuing provides guaranteed message delivery, efficient routing, security, transaction support, and priority-based messaging.

The most recent Microsoft documents discussing the service were updated in 2016. Some MSMQ experts published a blog post in January 2020 exploring the service's retirement trend. Despite being considered a "forgotten" or "legacy" service, MSMQ is still available on all Windows operating systems, including the latest Windows Server 2022 and Windows 11, and is provided as an optional Windows component. Users can easily enable the service through the Control Panel or through the PowerShell command “Install-WindowsFeature MSMQ-Services".

msy

Figure 1: Enabling/disabling the MSMQ service on a Windows server

The QueueJumper Vulnerability

CVE-2023-21554 vulnerability allows an attacker to potentially execute remote and unauthorized code via TCP port 1801. In other words, an attacker could gain control over the process via a single packet on 1801/ tcp port with the exploit, enabling the vulnerability.

The impact

We now know that the attacker is sending packets to service port 1801/tcp. In order to better understand the potential impact of this service in the real world, CPR did a full scan of the Internet. Surprisingly, we found that more than ~360.000 IPs have 1801/tcp open on the Internet and are running the MSMQ service.

Note that this only includes the number of Internet-facing hosts and does not take into account computers hosting the MSMQ service on internal networks, where the number should be much higher.

The MSMQ service is a "middleware" service that some popular software relies on. When the user installs the popular software, the MSMQ service is activated in Windows, which can be done without the user's knowledge.

Protection & Mitigation

We recommend that all Windows administrators check their servers and clients to see if the MSMQ service is installed. You can check if a service named “'Message Queuing'” is running and TCP port 1801 is listening on the computer. If it is installed, check again if you need it. Closing unnecessary attack surfaces is always a very good security practice.

For this particular vulnerability we recommend that users install the official patch of Microsoft as soon as possible. If your enterprise requires MSMQ, but is unable to apply the Microsoft patch at this time, you can work around blocking incoming connections for 1801/tcp from untrusted sources with Firewall rules (for example, blocking Internet connections on 1801/tcp for computers with Internet access).

Check Point IPS has developed a signature named “Microsoft Message Queuing Remote Code Execution (CVE-2023-21554)” to detect and protect Check Point Software customers from the QueueJumper vulnerability.

iGuRu.gr The Best Technology Site in Greecegns

every publication, directly to your inbox

Join the 2.113 registrants.
Microsoft, Microsoft Message Queuing

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).