Check Point Research uncovered three MSMQ vulnerabilities, including the critical QueueJumper (CVE-2023-21554) that enables unauthenticated remote code execution via the 1801/tcp port, which was patched in the April Patch Tuesday update. Administrators are urged to patch, audit MSMQ deployments, and apply mitigations such as restricting 1801/tcp access to reduce exposure.
#QueueJumper #MSMQ #mqsvc #CVE-2023-21554 #1801 #PatchTuesday #ExchangeServer
#QueueJumper #MSMQ #mqsvc #CVE-2023-21554 #1801 #PatchTuesday #ExchangeServer
Keypoints
- Three MSMQ vulnerabilities were discovered and patched in the April Patch Tuesday update: CVE-2023-21554 (QueueJumper), CVE-2023-21769, and CVE-2023-28302.
- CVE-2023-21554 (QueueJumper) enables unauthenticated remote code execution in the context of the mqsvc.exe Windows service.
- CVE-2023-21769 is an unauthenticated Remote Application Level DoS that can crash the MSMQ service.
- CVE-2023-28302 is an unauthenticated Remote Kernel Level DoS that can cause a Windows BSOD.
- MSMQ remains an optional Windows component present across current OS versions and can be enabled via Exchange Server deployment.
- The attack surface includes a large number of internet-facing hosts: more than ~360,000 IPs have 1801/tcp open to the Internet.
- Recommendations include patching promptly, reviewing MSMQ usage, disabling unneeded MSMQ, and blocking inbound 1801/tcp connections if MSMQ cannot be patched immediately.
MITRE Techniques
- [T1210] Exploitation of Remote Services – The CVE-2023-21554 vulnerability allows an attacker to potentially execute code remotely and without authorization by reaching the TCP port 1801. [ ‘The CVE-2023-21554 vulnerability allows an attacker to potentially execute code remotely and without authorization by reaching the TCP port 1801.’ ]
- [T1499] Endpoint Denial of Service – Unauthenticated Remote Application Level DoS (service crash). [ ‘unauthenticated Remote Application Level DoS (service crash)’ ]
- [T1499] Endpoint Denial of Service – Unauthenticated Remote Kernel Level DoS (Windows BSOD). [ ‘unauthenticated Remote Kernel Level DoS (Windows BSOD)’ ]
Indicators of Compromise
- [Port] 1801/tcp – attack vector used by the QueueJumper vulnerability; 1801/tcp is listening on MSMQ-enabled machines. – 1801/tcp
- [IP Address] 360,000 IPs – Internet-facing hosts with 1801/tcp open to the Internet running MSMQ. – 360000 IPs
- [Process] mqsvc.exe – the Windows service process context where code execution could occur via the vulnerability. – mqsvc.exe
- [Vulnerability] CVE-2023-21554 – QueueJumper remote code execution vector. – CVE-2023-21554
- [Software/Service] MSMQ – Microsoft Message Queuing service as the affected component. – MSMQ