Critical Vulnerability in MSMQ Service
Microsoft's Patch Tuesday fixed a critical vulnerability in the Message Queuing Service. This vulnerability allowed an attacker to execute code without authentication. A possible public exploit is imminent. It is recommended to quickly close the gap or block incoming network connections.
As part of yesterday’s Microsoft Patch Tuesday, a critical security vulnerability in the “Microsoft Message Queuing” service was fixed. This security vulnerability allows an attacker to execute code without having to authenticate on the target system.
Currently, there is no publicly available exploit code, but this is expected to change quickly in the coming days. This is the opinion of both Microsoft and the security researchers who discovered the flaw.
Since this Windows feature is also installed in conjunction with other software products (e.g., Exchange, SQL Server SSPI), more systems may be affected than initially thought. Immediate assistance can be provided by the Microsoft patch or, as a workaround, by blocking incoming network connections to TCP/1801.
With the following advanced hunting query, you can search your own environment for vulnerable systems.
| where Timestamp > ago(30d)
| where ActionType == "ListeningConnectionCreated"
| where LocalPort == "1801"
| where InitiatingProcessVersionInfoOriginalFileName has "MQSVC"
| summarize by DeviceName
Alternatively, if the network port has been changed, the query is:
| where Timestamp > ago(30d)
| where ProcessVersionInfoOriginalFileName has "MQSVC"
| summarize by DeviceName