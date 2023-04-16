



executive summary

Check Point Research recently discovered three vulnerabilities in the “Microsoft Message Queuing” service, commonly known as MSMQ. These vulnerabilities were disclosed to Microsoft and patched in the April Patch Monthly. The most severe of these, dubbed QueueJumper (CVE-2023-21554) by CPR, could allow an unauthenticated attacker to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe. is a critical vulnerability with

Check Point Research (CPR) released this blog after the patch was implemented to raise awareness of this critical vulnerability and provide defense insights and mitigation recommendations for Windows users. We will be releasing full technical details later this month to give users time to patch their machines before we publish the technical details.

Key Findings Three vulnerabilities were discovered in the MSMQ service, all patched on Patch Tuesday in April. -2023-28302 Unauthenticated Remote Kernel Level DoS (Windows BSOD) The most severe vulnerability allows an unauthenticated attacker to execute arbitrary code in the context of the Windows service process mqsvc.exe. MSMQ is delivered as an optional Windows component and is still available on all Windows operating systems, including the latest Windows Server 2022 and Windows 11 MSMQ.

According to Microsoft, Microsoft Message Queuing (MSMQ for short),

“A messaging infrastructure and development platform for creating loosely coupled, distributed messaging applications for the Microsoft Windows operating system. Message Queuing applications use the Message Queuing infrastructure to communicate across Message Queuing provides guaranteed message delivery, efficient routing, security, transaction support, and priority-based messaging.”

The latest Microsoft documentation describing services was updated in 2016. Some of his MSMQ experts published a blog post in January 2020 examining service obsolescence trends. Despite being considered a “forgotten” or “legacy” service, MSMQ is still available and offered as an optional Windows component on all Windows operating systems, including the latest Windows Server 2022 and Windows 11. increase. A user can easily enable the service using his Install-WindowsFeature MSMQ-Services in Control Panel or PowerShell command.

Figure 1 – QueueJumper Vulnerability Enabling/Disabling MSMQ Service on Windows Server*

The CVE-2023-21554 vulnerability could allow an attacker to remotely execute code without authentication by reaching on TCP port 1801. This means an attacker could use an exploit to control the process with only her one packet to her 1801/tcp port. , causing vulnerabilities.

impact

We now know that the attack vector sends packets to service port 1801/tcp. To better understand the potential real-world impact of this service, CPR scanned the entire internet.

Amazingly, we found about 360,000+ IPs opening 1801/tcp to the internet and running MSMQ services.

Note that this includes only Internet-facing hosts and does not take into account computers hosting MSMQ services on your internal network. The number should be much higher.

The MSMQ service is a “middleware” service that some popular software depends on. When a user installs a common software, Windows enables her MSMQ service. This can be done without the user’s knowledge.

For example, CPR requires users to install the official Microsoft Exchange Server[Exchange のインストールに必要な Windows Server の役割と機能を自動的にインストールする]After selecting the option, I found that the setup wizard app enabled the MSMQ service in the background. Microsoft.

Figure 3 – Installing Exchange Server will enable MSMQ on the machine if the option is selected*

After installation, the MSMQ service is automatically enabled.

Figure 4 – MSMQ process running on the same machine after Exchanger Server installation*

So leave the Exchange Server running with the MSMQ service on the same machine.

The important point is that if MSMQ is enabled on the server, an attacker could exploit this vulnerability or the MSMQ vulnerability to take over the server. Therefore, administrators are strongly encouraged to review their servers carefully and follow the protection and mitigation recommendations listed.

protection and mitigation

All Windows administrators are advised to check their servers and clients to see if the MSMQ service is installed. You can check if a service named Message Queuing is running and if TCP port 1801 is listening on your computer. If it is installed, double check if you need it. Closing unnecessary attack surfaces is always a very good security practice.

For this particular vulnerability described, we recommend that users install the official patch from Microsoft as soon as possible. If your business requires MSMQ but cannot apply Microsoft’s patches right now, you can use firewall rules to block inbound connections on 1801/tcp from untrusted sources (for example, connect to the Internet block internet connections to 1801/tcp on machines running workaround.

Check Point IPS developed and deployed a signature named Microsoft Message Queuing Remote Code Execution (CVE-2023-21554) to detect the QueueJumper vulnerability and protect customers.

