Thousands at risk from critical RCE bug in legacy MS service

More than 360,000 unique hosts appear to be at risk from three newly disclosed vulnerabilities – one of them rated as critical – in the legacy Microsoft Message Queuing (MSMQ) service, a Check Point researcher has warned.

Disclosed to Microsoft by Check Point’s Haifei Li, and fixed in the 11 April 2023 Patch Tuesday update, the three vulnerabilities are CVE-2023-21554, CVE-2023-21769 and CVE-2023-28302. Out of these, CVE-2023-21554, or QueueJumper, a remote code execution (RCE) vulnerability with a CVSS score of 9.8, is considered the most critical.

Left unaddressed, QueueJumper could allow unauthorised attackers to remotely execute arbitrary code in the context of the MSMQ service.

MSMQ is an optional component that is available on all versions of the Windows operating system (OS) including Windows Server 2022 and Windows 11. It is a message infrastructure and development platform that creates distributed, loosely coupled messaging applications for Windows.

These applications use MSMQ to communicate across networks and with systems that may be offline. According to Microsoft, the service provides “guaranteed message delivery, efficient routing, security, transaction support and priority-based messaging”.

The service has not been updated for some time and for all intents and purposes, was end-of-lifed a few years ago, although it remains available and can easily be enabled via the Control Panel or a specific PowerShell command, and herein, said Li, lies the problem.

“The CVE-2023-21554 vulnerability allows an attacker to potentially execute code remotely and without authorisation by reaching the TCP port 1801. In other words, an attacker could gain control of the process through just one packet to the port with the exploit, triggering the vulnerability,” he explained.

“To have a better understanding of the potential impact in the real world of this service, Check Point Research did a full internet scan. Surprisingly, we found that more than 360,000 IPs have the 1801 TCP port open to the internet and are running the MSMQ service,” he said. This number includes only internet-facing hosts, and does not account for those hosting MSMQ on internal networks.

Li additionally noted that as MSMQ is relied upon by other software applications, when the user installs these on a Windows system, they will enable MSMQ, possibly without their knowledge.

“We recommend all Windows admins check their servers and clients to see if the MSMQ service is installed. You can check if there is a service running named ‘Message Queuing’, and TCP port 1801 is listening on the computer. If it is installed, double-check if you need it. Closing unnecessary attack surfaces is always a very good security practice,” he said.

Check Point is holding off publishing full technical details of the exploit at this stage to give users time to patch their systems. If you are an MSMQ user but cannot apply the patch right now, it is worth blocking inbound connections from untrusted sources to the vulnerable port using firewall rules.

QueueJumper is among a number of critical vulnerabilities patched by Microsoft in April. The others, all RCE vulnerabilities, are CVE-2023-28219 and CVE-2022-28220 in Layer 2 Tunnelling Protocol, CVE-2023-28231 in DHCP Server Service, CVE-2023-28232 in Windows Point-to-Point Tunnelling Protocol, CVE-2023-28250 in Windows Pragmatic General Multicast (PGM), and CVE-2023-28291 in Raw Image Extension.

The April update also fixed CVE-2023-28252, a zero-day vulnerability in the Microsoft Common Log File System (CLFS) – which is being exploited as part of an attack chain delivering the Nokoyawa ransomware.