2023-04-28 Update
GreyNoise researchers now have a tag, classified as malicious, for the full QueueJumper RCE Attempt. As of the time of this post, no active RCE scanning attempts have been seen in GreyNoise for the past 90 days.
Check Point Research is slated to reveal full technical details later in the day on Friday, April 28, 2023.
MICROSOFT MESSAGE QUEUING (MSMQ) QUEUEJUMPER RCE ATTEMPT | CVE-2023-21554
MICROSOFT MESSAGE QUEUING (MSMQ) CRAWLER | CVES: No associated CVEs
MICROSOFT MESSAGE QUEUING (MSMQ) HTTP CRAWLER | CVES: No associated CVEs
Check Point Research discovered three vulnerabilities in Microsoft Message Queuing (MSMQ) service, patched in April's Patch Tuesday update. The most severe, QueueJumper (CVE-2023-21554), is a critical vulnerability allowing unauthenticated remote code execution. The other two vulnerabilities involve unauthenticated remote DoS attacks:
- CVE-2023-21769 — unauthenticated Remote Application Level DoS (service crash)
- CVE-2023-28302 — unauthenticated Remote Kernel Level DoS (Windows BSOD)
MSMQ, though considered a “legacy” service, is still available on all Windows operating systems.
According to Check Point researchers, over 360,000 IPs have the 1801/tcp port open, running the MSMQ service. The service may be enabled without user knowledge when installing certain software, such as Microsoft Exchange Server. Exploiting MSMQ vulnerabilities could allow attackers to take over servers. It's crucial for administrators to check their servers and install Microsoft's official patch. If unable to apply the patch, blocking inbound connections for 1801/tcp from untrusted sources can serve as a workaround.
GreyNoise researchers have two activity (vs exploitation attempt) tags that detect when someone is scanning to find exposed instances of the MSMQ service:
When we combine these tags, we presently see (at the time of publishing this post) just over 500 unique IP addresses — all from sources we’ve qualified as benign (👋🏼 Censys and Shadowserver!). The most prolific scanning is happening on the non-HTTP endpoint.
GreyNoise strongly recommends that organizations use our blocklists to shut down any identified malicious IPs with extreme prejudice before they have a chance to cause harm.
Our researchers are also hard at work digging into the details of each of the three weaknesses to craft specific exploitation detections which will, by default, be coming from malicious sources.
GreyNoise's detection capabilities for inventory scans of MSMQ protocols provide a reliable and essential tool in identifying and blocking malicious IPs targeting these vulnerabilities. With the accuracy of GreyNoise tags, security professionals can trust the system to highlight potential threats, allowing them to focus on other critical aspects of their organization's security. These IP Blocklists are available to all GreyNoise users now.*
*You must be signed in to access Blocklists. Create an account today.