Microsoft has released a set of security updates to fix a total of 97 flaws impacting its software; 45 of which are RCE vulnerabilities. Researchers have discovered three vulnerabilities in the Microsoft Message Queuing service (MSMQ) and were patched in Microsoft’s Patch Tuesday update. The most severe flaw out of the three is CVE-2023-21554 (known as QueueJumper; CVSSv3 Score: 9.8 – Critical) which allows remote code execution after sending a single package through the TCP port 1801.
According to Microsoft, MSMQ is a message infrastructure and development platform for creating distributed, loosely-coupled messaging applications for the Microsoft Windows operating system. Message Queuing applications can use the Message Queuing infrastructure to communicate across heterogeneous networks and with computers that may be offline. Message Queuing provides guaranteed message delivery, efficient routing, security, transaction support, and priority-based messaging.
QueueJumper Vulnerability & Impact
CVE-2023-21554 allows an attacker to execute code remotely and without authorization by reaching the TCP port 1801. A threat actor could gain control of the process through a single packet to the 1801/tcp port with the exploit. By doing this, it gives hackers control over mqsvc.exe.
A full internet scan showed that more than 360,000 IPs have 1801/tcp open to the internet and are running the MSMQ service. This includes the number of hosts facing the internet and does not account for computers hosting the MSMQ service on internal networks. Some popular software relies on MSMQ, so when a user installs that software, the MSMQ service is enabled on Windows and may be done without the user’s knowledge. It is important to note that MSMQ is disabled by default in all operating systems. Full technical details will be released later this month.
Mitigation
- All Windows admins are recommended to check their servers and clients to see if the MSMQ service is installed. You can check if there is a service running named ‘Message Queuing’, and TCP port 1801 is listening on the computer. If it is installed, double-check if you need it. Closing unnecessary attack surfaces is always a very good security practice.
- Users are recommended to install Microsoft’s official patch as soon as possible. If your business requires MSMQ but is unable to apply Microsoft’s patch right now, you may block the inbound connections for 1801/tcp from untrusted sources with Firewall rules (for example, blocking Internet connections to 1801/tcp for Internet-facing machines), as a workaround.
SecurIT360 SOC Managed Services
If you utilize our SOC Managed Services for MDR and/or EDR, we are actively monitoring the release of IoCs related to this CVE. Along with standard vendor threat feed and signature updates, we will proactively upload these to our SOC tools if applicable.
Additionally, we are running a Nessus external scan on internet facing servers and will report if we find anything.
As always, if we detect activity related to these exploits, we will alert you if warranted.
Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.
Microsoft Customer Guidance
CVE-2023-21554 – Security Update Guide – Microsoft Security Response Center
Resources & Related Articles