The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy.
Research Motivations
The following qualities of CVE-2023-21554 drew initial attention:
Due to the varying usage of MSMQ queues by third-party applications, there are challenges in identifying the full breadth of vulnerability impact between and across environments.
Initial reports described 360,000 Internet accessible hosts with the MSMQ service exposed. Consulting Shodan at the time displayed a mere 250. This discrepancy made it even less clear the extent of possible exposure.
The vulnerability is classified as a remote code execution that does not require authentication and also affects a wide range of Windows platforms.
The only apparent requirement is that the service is reachable on TCP port 1801.
