Security researchers and experts are warning of a critical vulnerability in the Windows Message Queuing (MSMQ) middleware service that has been patched by Microsoft during this month's Patch Tuesday. The vulnerability potentially exposes hundreds of thousands of systems to attacks. MSMQ is an optional component available on all Windows operating systems, providing applications with network communication capabilities with "guaranteed message delivery." It can be enabled via PowerShell or the Control Panel.
The flaw, identified as CVE-2023-21554, allows unauthenticated attackers to gain remote code execution on unpatched Windows servers by using specially crafted malicious MSMQ packets. These low-complexity attacks do not require user interaction. Affected Windows server and client versions include all currently supported releases up to the latest versions, Windows 11 22H2 and Windows Server 2022. Microsoft has attached an "exploitation more likely" tag to CVE-2023-21554, as the company is "aware of past instances of this type of vulnerability being exploited," making it "an attractive target for attackers." Microsoft warns that customers who have reviewed the security update and determined its applicability within their environment should treat this with a higher priority.
Security researchers Wayne Low of Fortinet's FortiGuard Lab and Haifei Li of Check Point Research were credited for reporting the flaw to Microsoft. Check Point Research shared additional details regarding the potential impact of CVE-2023-21554, stating that it found more than 360,000 Internet-exposed servers running the MSMQ service and potentially vulnerable to attacks. The number of unpatched systems is likely much higher, as Check Point Research's estimate does not include devices running the MSMQ service that are not reachable over the Internet.
Although MSMQ is an optional Windows component that is not enabled by default on most systems, it is a middleware service used by other software. The service will commonly be toggled on in the background when installing enterprise apps and will remain running even after uninstalling apps. For example, Check Point Research discovered that MSMQ will be automatically enabled during Exchange Server installs. The researchers said, "CPR saw that when installing the official Microsoft Exchange Server, the setup wizard app would enable the MSMQ service in the background if the user selects the 'Automatically install Windows Server roles and features that are required to install Exchange' option, which is recommended by Microsoft." The researchers added, "The important takeaway is that if MSMQ is enabled on a server, the attacker could potentially exploit this or any MSMQ vulnerability and take over the server."
Since Tuesday, cyberintelligence company GreyNoise has begun tracking MSMQ connection attempts and currently shows ten different IP addresses that have already started scanning for Internet-exposed servers. While Microsoft has addressed this bug and 96 other security flaws as part of the April Patch Tuesday, it also advised admins who cannot immediately deploy the patch to disable the Windows MSMQ service (if possible) to remove the attack vector. Microsoft said, "You can check to see if there is a service running named Message Queuing and TCP port 1801 is listening on the machine." Organizations that cannot immediately disable MSMQ or deploy Microsoft's patch can also block 1801/TCP connections from untrusted sources using firewall rules.