Security researchers and experts warn of a critical vulnerability in the Windows Message Queuing (MSMQ) middleware service patched by Microsoft during this month’s Patch Tuesday and exposing hundreds of thousands of systems to attacks.
MSMQ is available on all Windows operating systems as an optional component that provides apps with network communication capabilities with “guaranteed message delivery,” and it can be enabled via PowerShell or the Control Panel.
The flaw (CVE-2023-21554) enables unauthenticated attackers to gain remote code execution on unpatched Windows servers using specially crafted malicious MSMQ packets in low-complexity attacks that don’t require user interaction.
The list of affected Windows server and client versions includes all currently supported releases up to the latest versions, Windows 11 22H2 and Windows Server 2022.
Redmond has also attached an “exploitation more likely” tag to CVE-2023-21554, given that it’s “aware of past instances of this type of vulnerability being exploited,” which makes it “an attractive target for attackers.”
“As such, customers who have reviewed the security update and determined its applicability within their environment should treat this with a higher priority,” Microsoft warns.
Security researchers Wayne Low of Fortinet’s FortiGuard Lab and Haifei Li of Check Point Research were credited for reporting the flaw to Microsoft.
Over 360,000 MSMQ servers exposed to attacks
Check Point Research also shared additional details regarding the potential impact of CVE-2023-21554, saying that it found more than 360,000 Internet-exposed servers running the MSMQ service and potentially vulnerable to attacks.
The number of unpatched systems is likely much higher, seeing that Check Point Research’s estimate doesn’t include devices running the MSMQ service that aren’t reachable over the Internet.
Even though it’s an optional Windows component that isn’t enabled by default on most systems, being a middleware service used by other software, the service will commonly be toggled on in the background when installing enterprise apps and will remain running even after uninstalling apps.
For instance, Check Point Research found that MSMQ will be automatically enabled during Exchange Server installs.
“CPR saw that when installing the official Microsoft Exchange Server, the setup wizard app would enable the MSMQ service in the background if the user selects the ‘Automatically install Windows Server roles and features that are required to install Exchange’ option, which is recommended by Microsoft,” the researchers said.
“The important takeaway is that if MSMQ is enabled on a server, the attacker could potentially exploit this or any MSMQ vulnerability and take over the server.”
Since Tuesday, cyberintelligence company GreyNoise has begun tracking MSMQ connection attempts, and it currently shows ten different IP addresses that have already started scanning for Internet-exposed servers.
MSMQ scanning attempts (GreyNoise)
While Microsoft has already addressed this bug and 96 other security flaws as part of the April Patch Tuesday, it also advised admins who can’t immediately deploy the patch to disable the Windows MSMQ service (if possible) to remove the attack vector.
“You can check to see if there is a service running named Message Queuing and TCP port 1801 is listening on the machine,” Microsoft said.
Organizations that can’t immediately disable MSMQ or deploy Microsoft’s patch can also block 1801/TCP connections from untrusted sources using firewall rules.