Contents:
Security researchers and experts warn Windows admins about a critical vulnerability discovered in the Windows Message Queuing (MSMQ) middleware service, that can expose hundreds of thousands of systems to attacks. The vulnerability has been patched by Microsoft in this month’s Patch Tuesday release and admins are encouraged to patch it immediately.
MSMQ is an optional component that is available on all Windows operating systems and may be enabled using PowerShell or the Control Panel to give apps network communication capabilities with “guaranteed message delivery.”
Details About the Vulnerability
The vulnerability (tracked as CVE-2023-21554) allows unauthenticated attackers to execute code remotely on unpatched Windows servers by exploiting malicious MSMQ packets that have been carefully constructed. These attacks are low-complexity and don’t require user interaction.
All currently supported releases up to the most recent versions, Windows 11 22H2 and Windows Server 2022, are included in the list of affected Windows server and client releases.
As such, customers who have reviewed the security update and determined its applicability within their environment should treat this with a higher priority.
Microsoft (Source)
Given previous exploitation examples of such a vulnerability, it is likely to be targeted by threat actors as it represents an attractive target to them.
Hundreds of Thousands of Servers Exposed to Attacks
Check Point Research estimated that CVE-2023-21554 can target more than 360,000 Internet-exposed servers running the MSMQ service. Given that devices running the MSMQ service that aren’t reachable over the Internet aren’t included in Check Point Research’s estimation, the number of unpatched systems is probably substantially larger.
Being a middleware service utilized by other programs and an optional Windows component that is typically not activated by default, the service will frequently be toggled on in the background when installing enterprise apps and will continue to function long after apps have been uninstalled.
As reported by BleepingComputer, MSMQ will be automatically enabled during Exchange Server installs.
Microsoft already addressed this vulnerability, alongside other 96 security flaws as part of the April Patch Tuesday. The company also advises admins who cannot immediately deploy the patch to disable the MSMQ service to remove the attack vector. Companies who are unable to instantly disable MSMQ or apply Microsoft’s patch can also use firewall rules to prevent 1801/TCP connections from coming from untrusted sources.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.