QueueJumper: Patch critical RCE vulnerability in MSMQ service

Posted on 2023-04-17 by guenni

Windows[German]A remote code execution vulnerability CVE-2023-21554 exists in the Microsoft Message Queuing service (MSMQ), which has been rated critical with a CVEv3 score of 9.8. Microsoft has released security updates for Windows clients and servers on April 11, 2023, that also address this vulnerability. Those who have not yet updated their systems should apply the patch promptly, or at least mitigate the vulnerability.

Advertising

Vulnerability CVE-2023-21554 in MSMQ service

On April 11, 2023, Microsoft released security updates for Windows clients and servers that address 97 CVE vulnerabilities in Microsoft products. This includes the RCE vulnerability CVE-2023-21554 in the Microsoft Message Queuing service (MSMQ). An attacker could exploit this vulnerability by sending a specially crafted MSMQ packet to an affected MSMQ server.

Microsoft notes that to exploit this vulnerability, the Windows Message Queuing Service must be enabled. When the service is enabled, TCP port 1801 on the host is monitored. The vulnerability was discovered by Wayne Low (FortiGuard Lab) and Haifei Li (Check Point Research). I had pointed out the issue in the post Microsoft Security Update Summary (April 11, 2023).

QueueJumper vulnerability CVE-2023-21554 in MSMQ service

A deeper analysis was published by Check Point Research according to the above tweet in the article QUEUEJUMPER: CRITICAL UNAUTHENTICATED RCE VULNERABILITY IN MSMQ SERVICE. The security researchers have actually discovered three vulnerabilities in the "Microsoft Message Queuing" (MSMQ) service. These vulnerabilities were reported to Microsoft and fixed with the April Patch Tuesday update. The most serious of these vulnerabilities (CVE-2023-21554) is the critical vulnerability mentioned above, which could allow unauthenticated attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.

Security updates for Windows

Microsoft has released the following security updates for Windows clients and servers as of April 11, 2023, which also address vulnerabilities in the MSMQ service:

Advertising
  • KB5025279: Windows 7 SP1 and Windows Server 2008 R2 SP1 (Monthly Quality Rollup)
  • KB5025277: Windows 7 SP1 and Windows Server 2008 R2 SP1 (Security-only Update)
  • KB5025285: Windows Server 2012 R2 (Monthly Rollup Update)
  • KB5025288: Windows Server 2012 R2 (Security Only Quality Update)
  • KB5025287 : Windows Server 2012 (Monthly Rollup Update)
  • KB5025272: Windows Server 2012 ( (Security-only Quality Update)
  • KB5025221: Windows 10 Version 20H2 – 22H2
  • KB5025229: Windows 10 Enterprise 2019 LTSC /Windows Server 2019
  • KB5025228: Windows 10 Enterprise LTSC / Windows Server 2016
  • KB5025234: Windows 10 Enterprise LTSC
  • KB5025239: Windows 11 22H2
  • KB5025224: Windows 11 21H2
  • KB5025230: Windows Server 2022

The updates are listed by Microsoft on the page for CVE-2023-21554 and are described with their fixes in subsequent blog posts. Security researchers have scanned the Internet for exposed Microsoft Message Queuing (MSMQ) services on IPv4/IPv6 and found more than 400,000 vulnerable instances, according to this tweet.

Similar articles:
Microsoft Security Update Summary (April 11, 2023)
Patchday: Windows 10 Updates (April 11, 2023)
Patchday: Windows 11/Server 2022 Updates (April 11, 2023)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (April 11, 2023)

Cookies helps to fund this blog: Cookie settings
Advertising

This entry was posted in Security, Update, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *