Beware of RCE Vulnerability in MSMQ SERVICE

Category: Vulnerability | Industry: Global | Level: Tactical | Source: Check Point

Following Microsoft's patch Tuesday on April 11th, a critical zero-day vulnerability (CVE-2023-21554, also known as QueueJumper) was patched for remote code execution in the Microsoft Message Queuing (MSMQ) service. MSMQ is supplied as an optional component on all versions of Windows and provides applications with network communication capabilities, including guaranteed message delivery. Analysis from Check Point Research found, "an attacker could gain control of the process through just one packet to the 1801/tcp port with the exploit, triggering the vulnerability." QueueJumper does not require any user interaction, making it an attractive low-complexity attack technique. Additionally, Check Point conducted an internet scan and identified over "360,000 IPs have the 1801/tcp open to the Internet and are running the MSMQ service." Windows administrators are advised to validate if the MSMQ service is installed on any of their hosts and if so, verify if the service is needed and/or apply the patch released by Microsoft. The QueueJumper vulnerability was reported to Microsoft by security researchers Wayne Low from Fortinet's FortiGuard Lab and Haifei Li from Check Point Research.

Anvilogic Use Case:

• Potential network connection with CVE-2023-21554

‍