Kevin BeaumontApr 11, 2023

The #QueueJumper MSMQ vuln is a great find. I don’t know if there’s much knowledge in InfoSec about MSMQ but it’s very widely used in middleware - eg pretty much all the main Siemens ICS products use it.

https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/

QueueJumper: Critical Unauthorized RCE Vulnerability in MSMQ Service

Check Point Research recently discovered three vulnerabilities in the "Microsoft Message Queuing" service, commonly known as MSMQ. These vulnerabilities were disclosed to Microsoft and patched in the April Patch Tuesday update. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthorized attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.

Check Point Research
Show threadKevin BeaumontApr 12, 2023
Could @shodan add port 1801 to scanning? 🙏
Show threadKevin BeaumontApr 21, 2023

Accidentally deleted my #QueueJumper toots, but so far no sign of any in the wild exploitation, no technical write up and no public exploit. Monitoring with real world MSMQ, all quiet too.

Credits to CheckPoint for not providing exploitation details, has given orgs time to patch. Also kudos to not branding it a “cyber pandemic” this time.

Show threadKevin BeaumontMay 9, 2023

Pretty funny easy query to know if #QueueJumper request is internet scanning or malicious - filters out internet scanning. A month since publication, I haven't seen any in the wild exploitation (even just crashing the service, which is ridiculously easy).

VMConnection
| where ProcessName == "mqsvc"
| where BytesSent <> 572
| where BytesSent <> 0

MDE AHQ for exploitation: https://github.com/GossiTheDog/ThreatHunting/blob/master/AdvancedHuntingQueries/QueueJumper.ahq

ThreatHunting/QueueJumper.ahq at master · GossiTheDog/ThreatHunting

Tools for hunting for threats. Contribute to GossiTheDog/ThreatHunting development by creating an account on GitHub.

GitHub
Show threadKevin Beaumont
Still seen no in the wild exploitation of CVE-2023-21554 aka #QueueJumper, from a wide variety of telemetry. Turns out not publishing an RCE exploit helps prevent exploitation.
Jun 28, 2023 at 7:49amWeb
Show threadKevin BeaumontJun 28, 2023
Btw it turns out you don’t need MSMQ for MS Exchange Server with latest versions - the setup just installs it for no reason, then people present it to the internet for no reason.
Show threadKevin BeaumontNov 29, 2023

Just checking in on all the MSMQ vulnerabilities in 2023 including #QueueJumper - from honeypots, I didn’t see a single exploitation attempt, just scanning.

There also still isn’t a proof of concept exploit that reaches remote code execution still. #threatintel

Show threadBiggles 20X6!Jun 28, 2023
@GossiTheDog as soon as it came out and we didn't have a dedicated need for msmq on 99% of our stuff, we disabled it via GPO and intune policy.
Show threadGraham Sutherland / PolynomialJun 28, 2023
@GossiTheDog MSMQ is such a damn nightmare. I see it deployed on OT networks all the time, but since you pretty much can't enable any form of meaningful security on it without AD integration (which... yeah, lol, no, it's an OT network, ain't happening) it's a complete shitshow to do anything about once it's already designed into a system. Microsoft really need to fully deprecate it and get it the fuck out of every one of their products.
Show threadGraham Sutherland / PolynomialJun 28, 2023

@GossiTheDog This may be of interest in your MSMQ testing:

https://github.com/gsuberland/MSMQCheck

GitHub - gsuberland/MSMQCheck: MSMQ security analysis tool

MSMQ security analysis tool. Contribute to gsuberland/MSMQCheck development by creating an account on GitHub.

GitHub