Wayne Low of Fortinet’s FortiGuard Lab and Haifei Li of Check Point Research discovered a series of vulnerabilities in Windows Message Queuing (MSMQ), the most serious being CVE-2023-21554, dubbed QueueJumper. If MSMQ is enabled on a server, an attacker can use TCP port 1801 to execute code remotely and without authorization — effectively taking over the server.
The vulnerability was first reported to Microsoft, and a patch was released for this month’s Patch Tuesday on April 11.
What is Windows Message Queuing (MSMQ)?
MSMQ is a middleware service that allows applications running at different times to communicate across networks that may be temporarily offline.
MSMQ isn’t enabled by default on most systems and is considered a legacy service, but it’s commonly toggled on when installing apps and will remain running in the background — making it difficult for users and admins to know whether it is being used. The setup wizard app for Microsoft Exchange Server, for example, enables the MSMQ service in the background if the user follows Microsoft’s recommended prompts, according to Check Point Research.
How Bad is This?
The vulnerability has a 9.8 out of 10 rating on the CVSS severity scale. It also categorized attack complexity as low and privileges required as none, which means that this vulnerability is a low-hanging fruit for an attacker. If an attacker sends a malicious MSMQ packet to a server running the MSMQ service, it could result in remote code execution on the server side, said Microsoft.
A remote code execution (RCE) vulnerability is always severe because it enables potential threat actors to execute arbitrary code or commands on a remote system. This typically results in an attacker taking control of the remote system and launching further attacks.
Additionally, MSMQ usage is relatively widespread. According to Check Point Research, over 360,000 IPs have the TCP port 1801 open to the internet and are running the MSMQ service, meaning that they are susceptible to attack.
This doesn’t even account for computers that host the MSMQ service on internal networks; however, the most “at-risk” servers or endpoints running MSMQ service are the ones that are exposed to the internet (like a web server). Internal servers that are not publicly exposed are at a much lower risk since someone would need to be in the network to exploit.
What Should I Do?
Affected Windows server and client versions include all currently supported releases up to the latest versions, Windows 11 22H2 and Windows Server 2022.
If you run these versions within your environment, check if there is a service running named ‘Message Queuing’, and TCP port 1801 is listening on the computer.
Then, apply the patch that is available here.
If you can’t patch and can’t disable the service, block 1801 tcp from untrusted sources. This can be done on the computer itself using the built-in Windows Firewall or done at your network perimeter with a physical or virtual firewall appliance.
How Blumira Can Help
It’s nearly impossible for admins to track every vulnerability, but Blumira’s security experts perform threat hunting on your behalf and develop detections in real time to protect your environment.
Blumira is actively working on a detection for QueueJumper for its customers.
Blumira released two detections and one global report to assist with proactive searching for mqsvc in customer environments:
- Detection 1: CVE-2023-21554 QueueJumper – Accepted External Connection to mqsvc.exe
- Detection 2: CVE-2023-21554 QueueJumper – Suspicious Child Process of mqsvc.exe
- Global Report: Windows – Hosts with Listening mqsvc.exe
Blumira’s Free SIEM is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.
Sign up for free and connect to your Microsoft 365 environment in minutes to start detecting and mitigating exposure related to Windows vulnerabilities.