{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2023-023.pdf"
    },
    "title": "Remote Code Execution vulnerability in Microsoft Message Queuing",
    "serial_number": "2023-023",
    "publish_date": "17-04-2023 13:28:00",
    "description": "On April 11, 2023, Microsoft released a security update for a critical vulnerability in the Microsoft Message Queuing, commonly known as MSMQ. This vulnerability is identified as CVE-2023-21554 (CVSS score of 9.8) and could allow unauthenticated attackers to remotely execute arbitrary code.",
    "url_title": "2023-023",
    "content_markdown": "--- \ntitle: 'Remote Code Execution vulnerability in Microsoft Message Queuing'\nversion: '1.0'\nnumber: '2023-023'\noriginal_date: 'April 11, 2023'\ndate: 'April 17, 2023'\n---\n\n_History:_\n\n* _17/04/2023 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn April 11, 2023, Microsoft released a security update for a critical vulnerability in the Microsoft Message Queuing, commonly known as MSMQ [1]. This vulnerability is identified as **CVE-2023-21554** (CVSS score of 9.8) and could allow unauthenticated attackers to remotely execute arbitrary code [2].\n\n# Technical Details\n\nThe CVE-2023-21554 vulnerability allows an unauthenticated attacker to potentially execute arbitrary code in the context of the Windows service process: `mqsvc.exe`. The attack vector uses the service port `1801/tcp` [3].\n\n# Affected Products\n\nMSMQ is provided as **an optional Windows component** and is still available on **all Windows operating systems**, including the latest Windows Server 2022 and Windows 11 [2, 3].\n\n# Recommendations\n\nCERT-EU strongly recommends applying the latest patches for Microsoft Windows operating systems. The vulnerability was patched in the April 2023 Security Updates [4]. \n\n## Mitigations\n\nYou can prevent exploitation of this vulnerability by disabling MSMQ, a Windows component that can be turned off through the Control Panel. [2].\n\nIn addition, you may block the inbound connections for `1801/tcp` from untrusted sources [3].\n\n## Detections\n\nTo detect potential exploitation attempts, CERT-EU recommends reviewing network connections on endpoints where the Microsoft Message Queuing service is running (port `1801/tcp`) from unexpected sources, and then, reviewing the potential child processes of `mqsvc.exe` for suspicious events (e.g., `mqsvc.exe` executing `cmd.exe` or `powershell.exe`, among other binaries).\n\n# References\n\n[1] <https://learn.microsoft.com/en-us/previous-versions/windows/desktop/msmq/ms711472(v=vs.85)>\n\n[2] <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21554>\n\n[3] <https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/?__cf_chl_tk=7J8iZgI93c_ba6v1rOms3UyRgIV9ww0x57IqmNjMQsQ-1681463870-0-gaNycGzNDJA>\n\n[4] <https://msrc.microsoft.com/update-guide/releaseNote/2023-Apr>\n\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>17/04/2023 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On April 11, 2023, Microsoft released a security update for a critical vulnerability in the Microsoft Message Queuing, commonly known as MSMQ [1]. This vulnerability is identified as <strong>CVE-2023-21554</strong> (CVSS score of 9.8) and could allow unauthenticated attackers to remotely execute arbitrary code [2].</p><h2 id=\"technical-details\">Technical Details</h2><p>The CVE-2023-21554 vulnerability allows an unauthenticated attacker to potentially execute arbitrary code in the context of the Windows service process: <code>mqsvc.exe</code>. The attack vector uses the service port <code>1801/tcp</code> [3].</p><h2 id=\"affected-products\">Affected Products</h2><p>MSMQ is provided as <strong>an optional Windows component</strong> and is still available on <strong>all Windows operating systems</strong>, including the latest Windows Server 2022 and Windows 11 [2, 3].</p><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU strongly recommends applying the latest patches for Microsoft Windows operating systems. The vulnerability was patched in the April 2023 Security Updates [4]. </p><h3 id=\"mitigations\">Mitigations</h3><p>You can prevent exploitation of this vulnerability by disabling MSMQ, a Windows component that can be turned off through the Control Panel. [2].</p><p>In addition, you may block the inbound connections for <code>1801/tcp</code> from untrusted sources [3].</p><h3 id=\"detections\">Detections</h3><p>To detect potential exploitation attempts, CERT-EU recommends reviewing network connections on endpoints where the Microsoft Message Queuing service is running (port <code>1801/tcp</code>) from unexpected sources, and then, reviewing the potential child processes of <code>mqsvc.exe</code> for suspicious events (e.g., <code>mqsvc.exe</code> executing <code>cmd.exe</code> or <code>powershell.exe</code>, among other binaries).</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://learn.microsoft.com/en-us/previous-versions/windows/desktop/msmq/ms711472(v=vs.85)\">https://learn.microsoft.com/en-us/previous-versions/windows/desktop/msmq/ms711472(v=vs.85)</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21554\">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21554</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/?__cf_chl_tk=7J8iZgI93c_ba6v1rOms3UyRgIV9ww0x57IqmNjMQsQ-1681463870-0-gaNycGzNDJA\">https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/?__cf_chl_tk=7J8iZgI93c_ba6v1rOms3UyRgIV9ww0x57IqmNjMQsQ-1681463870-0-gaNycGzNDJA</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://msrc.microsoft.com/update-guide/releaseNote/2023-Apr\">https://msrc.microsoft.com/update-guide/releaseNote/2023-Apr</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}