Microsoft Patched Critical RCE Vulnerability in MSMQ Service

Check Point Research (CPR) recently discovered three vulnerabilities in the “Microsoft Message Queuing” service (MSMQ). The most severe of these vulnerabilities, known as QueueJumper (CVE-2023-21554), could allow unauthorized attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe. This vulnerability was patched by Microsoft in the April Patch Tuesday update.

MSMQ is a message infrastructure and development platform for creating distributed, loosely-coupled messaging applications for the Microsoft Windows operating system. While it is considered a “forgotten” or “legacy” service, MSMQ is still available on all Windows operating systems, including the latest Windows Server 2022 and Windows 11, and is provided as an optional Windows component.

QueueJumper Vulnerability

The QueueJumper vulnerability (CVE-2023-21554) allows an attacker to potentially execute code remotely and without authorization by reaching the TCP port 1801. An attacker could gain control of the process through just one packet to the 1801/tcp port with the exploit, triggering the vulnerability.

Impact  of QueueJumper 

A full Internet scan revealed that more than 360,000 IPs have the 1801/tcp port open to the Internet and are running the MSMQ service- according to CheckPoint. 

The MSMQ service is a “middleware” service that some popular software relies on. When a user installs popular software, the MSMQ service is enabled on Windows, which may be done without the user’s knowledge.

For example, when installing the official Microsoft Exchange Server, the setup wizard app would enable the MSMQ service in the background if the user selects the “Automatically install Windows Server roles and features that are required to install Exchange” option, which is recommended by Microsoft. If MSMQ is enabled on a server, an attacker could potentially exploit this or any MSMQ vulnerability and take over the server.

Protection & Mitigation

CheckPoint recommends all Windows admins check their servers and clients to see if the MSMQ service is installed. 

Users or Admins can check if there is a service running named ‘Message Queuing’, and if TCP port 1801 is listening on the computer. If it is installed, double-check if you need it. 

Closing unnecessary attack surfaces is always a very good security practice. For this particular vulnerability, users should install Microsoft’s official patch as soon as possible. If a business requires MSMQ but is unable to apply Microsoft’s patch right now, it may block the inbound connections for 1801/tcp from untrusted sources with Firewall rules as a workaround.