Recent update released by Microsoft, an April Patch Tuesday, revealed a severe vulnerability in Microsoft Message Queueing mechanism. That vulnerability allows remote code execution after sending 1 (one) package through a specific port.
What is Microsoft Message Queueing?
Microsoft Message Queueing, or MSMQ, is an infrastructure element for sharing messages within a local network. At the time of its release – 1997 – it provided a convenient way to communicate with all machines in a nonhomogeneous network. The very essence of that application is turning around the guarantee that the message will be delivered. Security features, as well as other useful elements that made it more convenient to use rendered MSMQ a pretty popular solution for networks. Later, however, it was pushed out from use by newer Microsoft products, like Azure Queues.
Despite being officially ceased from further development, it still receives security updates. Microsoft promises to support it unless the last Windows version it is present in will be supported with security patches. Networks that consist of older computers, are not compliant with modern software or are managed by conservative administrators, still use MSMQ. But the low usage and absence of functionality updates do not mean absence of vulnerabilities. The latter is especially true given that MSMQ is still present even in the latest Windows/Windows Server versions – 11 and 2022.
MSMQ Vulnerability Allows Remote Code Execution
The patch note for 2023 April Patch Tuesday contains information about almost a hundred different breaches that Microsoft managed to fix. A tiny CVE-2023-21554 is not noticeable unless you’re looking at its detailed explanation. As it turns out, the vulnerability supposes the ability to gain control over the reigning process of an entire MSMQ mechanism – mqsvc.exe. Analysts already coined it QueueJumper. Having their hands on that process, hackers can easily make it run any code. Such breaches are classified as remote or arbitrary code execution, and are often guests to the top of vulnerability charts.
Having such an ability is sour, but even more so is having it so easy to exploit. Sending a single packet, forged specifically for exploitation, through the TCP port 1801, gives hackers control over the aforementioned mqsvc.exe. This is pretty easy to do, as you may guess. And given that MSMQ is still present even in the most modern systems, it is feasible for hackers to use it for their dirty deeds. For sure, using it supposes that hackers should be able to reach the 1801 port, meaning it is open to network connections. But now it is a way less common peephole than the RDP’s port 443, and it is open by default.
How to Fix MSMQ Vulnerability? And should I?
After Microsoft published the breach with its detailed explanation in its patch note, nothing stops hackers from using the breach. So yes, it is worth fixing it as soon as possible. RCE/ACE vulnerabilities always bring advanced dangers, as they are commonly used for initial access and malware unfolding. Considering all I told you above about the ports and ease of its exploitation, it is just a matter of time when crooks will put it to use.
Fortunately, the patch that closes the breach is already available. The aforementioned Patch Tuesday fixes this, and numerous other vulnerabilities. Installing it is the easiest and the fastest way to forget about such a threat. However, updates are not that easy to install on all machines when we talk about large corporate networks. For these cases, Microsoft offered a pretty straightforward solution – closing port 1801 from external connections manually. It still does not fix the ability to take over the MSMQ process but makes the exploitation way more complicated and less efficient.