Microsoft patched over 100 vulnerabilities this week in its merchandise, together with a zero-day privilege escalation flaw used within the wild by a ransomware gang. Nonetheless, one other essential vulnerability that may be simply exploited to take over Home windows techniques remotely over native networks and the web is prone to be of extra curiosity to attackers and see widespread exploitation sooner or later.
Dubbed QueueJumper and tracked as CVE-2023-21554, the flaw was found by researchers from safety agency Test Level Software program Applied sciences and is rated 9.8 out of 10 on the CVSS severity scale. Microsoft’s personal advisory lists the assault complexity as low and the exploitability evaluation as extra seemingly. The affect is distant code execution.
Distant code execution in legacy Message Queuing service
The flaw is in a Home windows element referred to as the Microsoft Message Queuing (MSMQ) service that enables purposes to speak and guarantee message supply even when networks and techniques are briefly offline by maintaining messages in a queue. This service has existed in Home windows since Home windows NT and has seen a number of variations through the years. When lively, the service accepts communications on port 1801 TCP.
Despite the fact that MSMQ is usually thought of a legacy service that has been outmoded by newer communication applied sciences, it nonetheless exists as an elective element in Home windows 11 and the newest model of Home windows Server. Furthermore, purposes which are designed to make use of it should allow it at set up time, which could occur with out customers or admins realizing.
Microsoft’s documentation offers examples of use instances for MSMQ equivalent to mission-critical monetary companies for digital commerce, embedded and hand-held purposes like these utilized in baggage routing techniques in airports, and gross sales automation purposes for touring gross sales representatives. It is price noting that this documentation was written in 2016, so the listing of purposes that use it’s actually not exhaustive.
The truth is, according to Check Point researcher Haifei Li, one utility that is extensively utilized by firms allows the MSMQ service in the course of the set up course of with default settings: Microsoft Trade Server. On-premise Microsoft Trade Servers have been a favourite goal for attackers, particularly cyberespionage teams, in recent times.
„We now know the assault vector sends packets to the service port 1801/tcp,“ Li stated. “As a way to have a greater understanding of the potential affect in the actual world of this service, CPR [Check Point Research] did a full Web scan. Surprisingly, we discovered that greater than ~360,000 IPs have the 1801/tcp open to the web and are operating the MSMQ service. Word that this solely contains the variety of hosts going through the Web and doesn’t account for computer systems internet hosting the MSMQ service on inside networks, the place the quantity needs to be much more.“
Test Level recommends that directors decide whether or not the Message Queuing service is operating on their techniques and if they’ll disable it with out impacting essential purposes. If the service is required and Microsoft’s patch cannot be utilized instantly, organizations ought to block entry to TCP port 1801 from untrusted IP addresses utilizing a firewall. Word that this won’t shield the system from assaults within the case of a neighborhood community compromise and lateral motion exercise that enables attackers to compromise one of many trusted techniques on the firewall’s IP whitelist. Lateral motion is a typical approach employed by most APT and ransomware gangs.
Different Microsoft Home windows vulnerabilities that want fast consideration
One other distant code execution vulnerability with a severity rating of 9.8 that is much like MSMQ’s was patched within the Home windows Pragmatic Common Multicast (PGM) element. This flaw is tracked as CVE-2023-28250 and can also be depending on the MSMQ being lively and the system accepting connections on TCP port 1801. Nonetheless, Microsoft considers exploitation of this flaw much less seemingly.
The zero-day vulnerability patched by Microsoft that is reportedly already utilized by a ransomware gang referred to as Nokoyawa is tracked as CVE-2023-28252 and is situated within the Home windows Frequent Log File System (CLFS) driver. This can be a privilege escalation vulnerability with a severity rating of seven.8 that can’t be exploited remotely however may be exploited domestically on the system to realize code execution as SYSTEM. Microsoft patched two related CLFS vulnerabilities over the previous 12 months, in February 2023 and in September 2022.
„April 2023 additionally sees 45 separate distant code execution (RCE) vulnerabilities patched, which is a big uptick from the typical of 33 per 30 days over the previous three months,“ Adam Barnett, lead software program engineer at safety agency Rapid7, tells CSO by way of e-mail. „Microsoft charges seven of this month’s RCE vulnerabilities as essential, together with two associated vulnerabilities with a CVSSv3 base rating of 9.8.“
Copyright © 2023 IDG Communications, Inc.