We are pleased to inform you that our team has effectively assessed the risk associated with the vulnerability based on the currently available information. If any further relevant updates will be available regarding the technical aspects of the exploitation, we will promptly provide a new update.
If you have any questions, please do not hesitate to reach out to us.
Following our latest message regarding the newly discovered vulnerability in Microsoft’s MSMQ Service (CVE-2023-21554), we would like to direct our customers to several tools that can be useful to gain better visibility for the potentially vulnerable servers, so as to conduct threat hunting to identify exploitation attempts:
1. MSMQ Unauthenticated RCE Visibility Dashboard - The dashboard is now accessible on Hunters’ platform, providing you with an indication of Windows computing resources that are potentially vulnerable to the new MSMQ Unauthenticated RCE vulnerability. The identification of vulnerable servers is being done based on the existence of mqsvc.exe processes on organizational devices. This dashboard distinguishes between external-facing resources and internal-facing ones. The dashboard can be found in the Hunters Platform, by navigating to Data → Visibility
2. MSMQ Unauthenticated RCE Visibility Queries - EDR Based - The query can be found on Team Axon’s Github page - FW Based - The query can be found on Team Axon’s Github page
3. MSMQ Abnormal activities queries - 2 SQL queries that can be used to identify abnormal activities related to the “mqsvc.exe” process (which is related to MSMQ) were uploaded to the Rapid Response GitHub repository: - Query 1 - Identification of mqsvc.exe child processes. - Query 2 - Identification of abnormal command lines related to mqsvc.exe
Note: It is important to mention that at the moment, the full technical details regarding the exploitation of the vulnerability hadn’t been published. The hunting queries were developed based on the team’s research and current understanding of the attack surface. Hence the hunting queries will be updated and corrected as the research progresses.
Team Axon has been conducting a focused threat hunting against the MSMQ Unauthenticated RCE Vulnerability. Affected customers will be informed directly.
As always, feel free to contact the team for further assistance or additional questions.
Sincerely, Team Axon.
Posted Apr 13, 2023 - 14:41 UTC
Investigating
Team Axon is aware of the newly discovered vulnerabilities in Microsoft’s “Message Queuing” Service (also known as MSMQ). We would like to provide you with initial information and some recommended mitigation steps.
Initial information:
1. Three MSMQ-related vulnerabilities (identified by CheckPoint (https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/) were patched by Microsoft as part of the April Patch Tuesday update. 2. One of the vulnerabilities - CVE-2023-21554, had been categorized as “Critical” - with a CVSS score of 9.8. This specific vulnerability allows unauthenticated RCE (Remote code execution). 3. The MSMQ service (feature) is an optional one and can be easily installed and enabled on Windows Operating Systems (including the newest versions). 4. Currently, there are not many details about the exploitation methods, however, according to the available information, we can tell that this is a relatively easy vulnerability to exploit, using a dedicated network packet. 5. To exploit this vulnerability, a specially crafted malicious MSMQ packet should be sent to port 1801 (TCP) on an “MSMQ Server”.
Mitigation Steps:
1. Install the dedicated patch that had been published by Microsoft to protect your assets. (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21554) 2. Block inbound connections over port 1801 (TCP) toward your relevant assets. 3. In case MSMQ Service is required, reduce the allowed incoming network traffic over port 1801 (TCP), so it will be allowed from known and required sources only.
We recommend evaluating the mitigation steps as soon as possible since the technical details about this vulnerability will probably be published in the near future, hence the probability of exploitation might be significantly higher.
Team Axon is now working on tools and hunting queries to allow our customers to have better visibility for their CVE-2023-21554-related attack surface. In addition, we keep learning and characterizing this vulnerability, to conduct a vulnerability-focused threat hunting over our customer’s data. We’ll privately contact customers that will be found as impacted.
Additional updates will be posted on Axon’s status page as soon as possible.