Warning: "Critical Vulnerability in Windows Message Queuing Service Exposes Hundreds of Thousands of Servers to Attacks"

A critical vulnerability has been discovered in the Windows Message Queuing (MSMQ) middleware service, which can potentially expose hundreds of thousands of systems to attacks. Security experts and researchers have warned Windows admins about the vulnerability, which has already been patched by Microsoft as part of the April Patch Tuesday release.

MSMQ is an optional component available on all Windows operating systems, which allows apps to have network communication capabilities with guaranteed message delivery. However, the vulnerability (CVE-2023-21554) allows unauthenticated attackers to execute code remotely on unpatched Windows servers by exploiting malicious MSMQ packets that have been carefully constructed.

The vulnerability affects all currently supported releases of Windows, including the latest versions - Windows 11 22H2 and Windows Server 2022. Check Point Research estimated that the vulnerability can target more than 360,000 Internet-exposed servers running the MSMQ service, which may be a conservative estimate since devices running the service that aren't reachable over the Internet aren't included in the estimation.

Given that the service is an optional Windows component that is not activated by default, and is utilized by other programs, it is frequently toggled on in the background when installing enterprise apps, and continues to function long after the apps have been uninstalled. MSMQ is also automatically enabled during Exchange Server installs.

Since the vulnerability is low complexity and doesn't require user interaction, it is likely to be targeted by threat actors. Therefore, Microsoft advises admins to patch the vulnerability immediately, and companies who are unable to apply the patch can disable the MSMQ service to remove the attack vector. Firewall rules can also be used to prevent 1801/TCP connections from coming from untrusted sources.

IMPORTANT POINTS

• Critical vulnerability discovered in Windows Message Queuing (MSMQ) middleware service
• Allows unauthenticated attackers to execute code remotely on unpatched Windows servers
• Low-complexity attacks that don't require user interaction
• Affects all currently supported releases of Windows, including Windows 11 22H2 and Windows Server 2022
• More than 360,000 Internet-exposed servers running MSMQ service estimated to be vulnerable
• Admins advised to patch vulnerability immediately, and companies who cannot apply patch can disable MSMQ service or use firewall rules
• Patching and securing IT infrastructure is crucial to prevent potential attacks and mitigate risks to systems

Conclusion:

• The critical vulnerability discovered in the Windows Message Queuing (MSMQ) middleware service highlights the importance of timely patching and securing IT infrastructure. Companies should prioritize the patching of this vulnerability to prevent potential attacks and mitigate risks to their systems.