Credit: Tookapic / Insspirito
Microsoft patched over 100 vulnerabilities this week in its products, including a zero-day privilege escalation flaw used in the wild by a ransomware gang. However, another critical vulnerability that can be easily exploited to take over Windows systems remotely over local networks and the internet is likely to be of more interest to attackers and see widespread exploitation in the future.
Dubbed QueueJumper and tracked as CVE-2023-21554, the flaw was discovered by researchers from security firm Check Point Software Technologies and is rated 9.8 out of 10 on the CVSS severity scale. Microsoft's own advisory lists the attack complexity as low and the exploitability assessment as more likely. The impact is remote code execution.
Remote code execution in legacy Message Queuing service
The flaw is in a Windows component called the Microsoft Message Queuing (MSMQ) service that allows applications to communicate and ensure message delivery even when networks and systems are temporarily offline by keeping messages in a queue. This service has existed in Windows since Windows NT and has seen multiple versions over the years. When active, the service accepts communications on port 1801 TCP.
Even though MSMQ is generally considered a legacy service that has been superseded by newer communication technologies, it still exists as an optional component in Windows 11 and the latest version of Windows Server. Moreover, applications that are designed to use it will enable it at installation time, which might happen without users or admins realising.
Microsoft's documentation gives examples of use cases for MSMQ such as mission-critical financial services for electronic commerce, embedded and hand-held applications like those used in baggage routing systems in airports, and sales automation applications for traveling sales representatives. It's worth noting that this documentation was written in 2016, so the list of applications that use it is certainly not exhaustive.
In fact, according to Check Point researcher Haifei Li, one application that's widely used by companies enables the MSMQ service during the installation process with default settings: Microsoft Exchange Server. On-premise Microsoft Exchange Servers have been a favorite target for attackers, especially cyberespionage groups, in recent years.
"We now know the attack vector sends packets to the service port 1801/tcp," Li said. “In order to have a better understanding of the potential impact in the real world of this service, CPR [Check Point Research] did a full Internet scan. Surprisingly, we found that more than ~360,000 IPs have the 1801/tcp open to the internet and are running the MSMQ service. Note that this only includes the number of hosts facing the Internet and does not account for computers hosting the MSMQ service on internal networks, where the number should be far more."
Check Point recommends that administrators determine whether the Message Queuing service is running on their systems and if they can disable it without impacting critical applications. If the service is needed and Microsoft's patch can't be applied immediately, organisations should block access to TCP port 1801 from untrusted IP addresses using a firewall. Note that this will not protect the system from attacks in the case of a local network compromise and lateral movement activity that allows attackers to compromise one of the trusted systems on the firewall's IP whitelist. Lateral movement is a common technique employed by most APT and ransomware gangs.
Other Microsoft Windows vulnerabilities that need immediate attention
Another remote code execution vulnerability with a severity score of 9.8 that's similar to MSMQ’s was patched in the Windows Pragmatic General Multicast (PGM) component. This flaw is tracked as CVE-2023-28250 and is also dependent on the MSMQ being active and the system accepting connections on TCP port 1801. However, Microsoft considers exploitation of this flaw less likely.
The zero-day vulnerability patched by Microsoft that's reportedly already used by a ransomware gang called Nokoyawa is tracked as CVE-2023-28252 and is located in the Windows Common Log File System (CLFS) driver. This is a privilege escalation vulnerability with a severity score of 7.8 that cannot be exploited remotely but can be exploited locally on the system to gain code execution as SYSTEM. Microsoft patched two similar CLFS vulnerabilities over the past year, in February 2023 and in September 2022.
"April 2023 also sees 45 separate remote code execution (RCE) vulnerabilities patched, which is a significant uptick from the average of 33 per month over the past three months," Adam Barnett, lead software engineer at security firm Rapid7, tells CSO via email. "Microsoft rates seven of this month’s RCE vulnerabilities as critical, including two related vulnerabilities with a CVSSv3 base score of 9.8."
