Thousands at risk from critical RCE bug in legacy MS service
More than 360,000 distinctive hosts seem like at risk from three newly disclosed vulnerabilities – one among them rated as critical – in the legacy Microsoft Message Queuing (MSMQ) service, a Check Point researcher has warned.
Disclosed to Microsoft by Check Point’s Haifei Li, and stuck in the 11 April 2023 Patch Tuesday replace, the three vulnerabilities are CVE-2023-21554, CVE-2023-21769 and CVE-2023-28302. Out of those, CVE-2023-21554, or QueueJumper, a distant code execution (RCE) vulnerability with a CVSS rating of 9.8, is taken into account essentially the most critical.
Left unaddressed, QueueJumper might enable unauthorised attackers to remotely execute arbitrary code in the context of the MSMQ service.
MSMQ is an non-compulsory element that’s obtainable on all variations of the Windows working system (OS) together with Windows Server 2022 and Windows 11. It is a message infrastructure and growth platform that creates distributed, loosely coupled messaging functions for Windows.
These functions use MSMQ to speak throughout networks and with methods that could be offline. According to Microsoft, the service supplies “guaranteed message delivery, efficient routing, security, transaction support and priority-based messaging”.
The service has not been up to date for a while and for all intents and functions, was end-of-lifed a few years ago, though it stays obtainable and may simply be enabled by way of the Control Panel or a selected PowerShell command, and herein, mentioned Li, lies the issue.
“The CVE-2023-21554 vulnerability allows an attacker to potentially execute code remotely and without authorisation by reaching the TCP port 1801. In other words, an attacker could gain control of the process through just one packet to the port with the exploit, triggering the vulnerability,” he defined.
“To have a better understanding of the potential impact in the real world of this service, Check Point Research did a full internet scan. Surprisingly, we found that more than 360,000 IPs have the 1801 TCP port open to the internet and are running the MSMQ service,” he mentioned. This quantity consists of solely internet-facing hosts, and doesn’t account for these internet hosting MSMQ on inner networks.
Li moreover famous that as MSMQ is relied upon by different software program functions, when the person installs these on a Windows system, they’ll allow MSMQ, presumably with out their information.
“We recommend all Windows admins check their servers and clients to see if the MSMQ service is installed. You can check if there is a service running named ‘Message Queuing’, and TCP port 1801 is listening on the computer. If it is installed, double-check if you need it. Closing unnecessary attack surfaces is always a very good security practice,” he mentioned.
Check Point is holding off publishing full technical particulars of the exploit at this stage to offer customers time to patch their methods. If you might be an MSMQ person however can’t apply the patch proper now, it’s price blocking inbound connections from untrusted sources to the weak port utilizing firewall guidelines.
QueueJumper is amongst plenty of critical vulnerabilities patched by Microsoft in April. The others, all RCE vulnerabilities, are CVE-2023-28219 and CVE-2022-28220 in Layer 2 Tunnelling Protocol, CVE-2023-28231 in DHCP Server Service, CVE-2023-28232 in Windows Point-to-Point Tunnelling Protocol, CVE-2023-28250 in Windows Pragmatic General Multicast (PGM), and CVE-2023-28291 in Raw Image Extension.
The April replace additionally mounted CVE-2023-28252, a zero-day vulnerability in the Microsoft Common Log File System (CLFS) – which is being exploited as a part of an assault chain delivering the Nokoyawa ransomware.
