Check Point Research recently discovered three vulnerabilities in the Microsoft Message Queuing service commonly known as MSMQ. These vulnerabilities were disclosed to Microsoft and patched in the April Patch Day Update. The most severe of these, dubbed QueueJumper (CVE-2023-21554) by the checkpoint research team , could allow an unauthenticated attacker to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.
MSMQ
According to Microsoft, Microsoft Message Queuing (“MSMQ” for short),
“is a message infrastructure and a development platform for creating distributed, loosely-coupled messaging applications for the Microsoft® Windows® operating system. Message Queuing applications can use the Message Queuing infrastructure to communicate across heterogeneous networks and with computers that may be offline. Message Queuing provides guaranteed message delivery, efficient routing, security, transaction support, and priority-based messaging.”
The QueueJumper Vulnerability
The CVE-2023-21554 vulnerability allows an attacker to potentially execute code remotely and without authorization by reaching the TCP port 1801. In other words, an attacker could gain control of the process through just one packet to the 1801/tcp port with the exploit, triggering the vulnerability.
The Impact
We now know the attack vector sends packets to the service port 1801/tcp. In order to have a better understanding of the potential impact in the real world of this service, CPR did a full Internet scan.
Protection & Mitigation
Checkpoint recommend all Windows admins check their servers and clients to see if the MSMQ service is installed. You can check if there is a service running named ‘Message Queuing’, and TCP port 1801 is listening on the computer. If it is installed, double-check if you need it. Closing unnecessary attack surfaces is always a very good security practice.
For this particular vulnerability we discussed, we recommend users install Microsoft’s official patch as soon as possible. If your business requires MSMQ but is unable to apply Microsoft’s patch right now, you may block the inbound connections for 1801/tcp from untrusted sources with Firewall rules (for example, blocking Internet connections to 1801/tcp for Internet-facing machines), as a workaround.
Check Point IPS has developed and deployed a signature named “Microsoft Message Queuing Remote Code Execution (CVE-2023-21554)” to detect and protect our customers against the QueueJumper vulnerability.
Threat Hunting
Twitter https://twitter.com/mthcht researcher has shared the threat hunting tweets below.
Unauthenticated RCE with a single packet on port 1801
1. Check Firewall/IDS logs for allowed requests on TCP port 1801 from external IP address. – search for: dest_port=1801 NOT (src_ip IN (192.168.0.0/16,172.16.0.0/12,10.0.0.0/8)) action=allowed
– Search for CVE-2023-21554 IDS signatures on TCP port 1801 from external IP address
– Block TCP/1801, apply Patch
2. Save all the external attackers IP observed (could be regular port scans), monitor outbound requests from internal IP to the attackers IPs.
3. Check EventID 5156 for permitted inbound connection on port 1801, EventID 5154 will show service MSMQ listening for incoming connection on port 1801
– Sysmon EventID 3 for connections made on port 1801
Source/Reference- https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/