In its August Patch Tuesday update, Microsoft assessed numerous RCE vulnerabilities, deeming many as below critical in terms of severity. However, CVE-2023-36910, CVE-2023-36911, and CVE-2023-35385 were categorized as critical, necessitating immediate attention.
Here’s what you need to know:
What are CVE-2023-36910, CVE-2023-36911 & CVE-2023-35385?
Message Queuing (MSMQ) is a protocol formulated by Microsoft that facilitates dependable communication between Windows computers over varied networks. It retains a message queue of undelivered messages to maintain communication even when a host is momentarily disconnected.
Yuki Chen, a security expert from Cyber KunLun, identified six vulnerabilities in Microsoft Message Queuing. These include the previously mentioned three, along with two DoS vulnerabilities (CVE-2023-36912 and CVE-2023-38172), and CVE-2023-35383, which pertains to information disclosure.
CVE-2023-36910 impacts Microsoft Message Queuing on Windows 10, 11, and Server 2008-2022 platforms. An external remote attacker could harness, without needing user privileges, this vulnerability over the network to execute random code on the compromised systems. The Powershell-based Mitigate Message Queuing RCE Vulnerability Worklet mitigates the Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36911 and CVE-2023-35385 represent two additional critical RCEs in Microsoft Message Queuing. Similar to CVE-2023-36910, these vulnerabilities can be exploited over the network without needing user interaction or privileges.
Do CVE-2023-36910, CVE-2023-36911 & CVE-2023-35385 affect me?
The vulnerabilities affect Microsoft Message Queuing on Windows 10, 11, and Server 2008-2022 systems. However, For an attacker to take advantage of these vulnerabilities, they must transmit a specifically designed MSMQ packet to an MSMQ server, If they successfully exploit the vulnerability, an unauthenticated attacker can execute remote code on the target server.
Have CVE-2023-35385, CVE-2023-36910 or CVE-2023-36911 been actively exploited in the wild?
While active exploits targeting Message Queuing haven’t been detected yet, it seems like an example PoCs will become available just a matter of time. You can block TCP port 1801 as mitigation, but the better choice is to test and deploy the update quickly.
How to fix CVE-2023-36910, CVE-2023-36911 & CVE-2023-35385
Organizations have several mitigation strategies at their disposal to reduce risks from these vulnerabilities. “Mitigating factors encompass default settings, typical configurations, or overarching best practices that inherently lessen the impact of exploiting a vulnerability,” explained M. Walters, VP of vulnerability and threat research at Action1.
For a system to be vulnerable, the Windows Message Queuing service must be active. Typically, this service is labeled ‘Message Queuing’, and the machine would have TCP port 1801 active and listening. Even though MSMQ isn’t activated by default nowadays, any device with it enabled is potentially at risk. Microsoft says if the service is enabled, it runs under the service name “Message Queuing” and is listening on TCP port 1801.
To address the vulnerabilities you should first check whether the MSMQ service is currently active: If it is it’s essential to halt its operations and adjust its startup setting to ‘disabled’. Following this, you should Establish a new Windows Firewall Rule. This rule, titled “AUTOMOX WORKLET: Block TCP 1801,” is designed to obstruct any traffic to TCP port 1801.
Next steps
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
- Announcing the Attack Path Graph for end-to-end risk prioritization
- Can you trust ChatGPT’s package recommendations?
- MITRE ATTACK framework – Mapping techniques to CVEs
- Exploit maturity: an introduction
- IBM’s Cost of a Data Breach report 2023 – what we learned
