Cybersecurity company Fortinet has revealed information about three critical and high-severity vulnerabilities in the Microsoft Message Queuing (MSMQ) service. These vulnerabilities, identified as CVE-2023-21554 and CVE-2023-28302, could potentially enable remote code execution (RCE) and denial-of-service (DoS) attacks. Microsoft has addressed these vulnerabilities in its April 2023 Patch Tuesday updates. The third vulnerability has not been assigned a CVE identifier.
MSMQ is a proprietary messaging protocol that facilitates communication between applications operating on different systems. It manages messages that have not reached their intended destination by placing them in a queue and resending them once the destination becomes accessible. MSMQ operates as a standalone service, exposing TCP/IP and RPC ports to allow network interaction. It is implemented in both user-mode and kernel-mode components.
Fortinet discovered three vulnerabilities that could be exploited via TCP port 1801. The most severe of these is CVE-2023-21554, which has a CVSS score of 9.8. This vulnerability is an out-of-bounds write flaw caused by the message header parser failing to validate a message header of arbitrary size. Fortinet stated that “Some message headers […] allow attackers to specify an arbitrary size/length that is not properly sanitized”. The message headers are organized sequentially, and the parser adjusts the pointer based on the defined data structures for each header. However, since some message headers are not validated, the pointer can be adjusted to point to an arbitrary location, potentially causing memory corruption.
The second vulnerability, CVE-2023-28302 with a CVSS score of 7.5, is an out-of-bounds read bug that affects the same message header parser routine. The problem arises because the data structure for the header is not validated, even though most of the message header is scrutinized.
The third vulnerability is an out-of-bounds write flaw that occurs when data is dereferenced without any sanity check in specific functions. A malformed data structure can trigger this flaw in MSMQ’s kernel-mode component.
Microsoft has issued patches for all three vulnerabilities and for CVE-2023-21769, another high-severity DoS flaw in MSMQ, in April and July 2023. Users are strongly advised to install these security updates at the earliest opportunity.