Micropatches Released For “QueueJumper” Remote Code Execution in Microsoft Message Queuing (CVE-2023-21554)

 

April 2023 Windows Updates brought a fix for CVE-2023-21554,
a remote code execution vulnerability in Microsoft Message Queuing
Service. The vulnerability, nicknamed “QueueJumper” was reported to Microsoft by Wayne Low of Fortinet’s FortiGuard Lab and Haifei Li with Check Point Research.

The first proof-of-concept became available on April 30, when Omair from Krash Consulting published it on GitHub. Another proof-of-concept by zoemurmure became available on May 18. Both of these made it possible for us to create a micropatch for this issue.

The
vulnerability allows a remote unauthenticated attacker to cause memory corruption on a Windows computer running Microsoft Message Queuing Service, which can often be extended to executing arbitrary code on the computer. A detailed technical analysis (in Chinese) was provided by zoemurmure,

While
still-supported Windows systems have already received the official
vendor fix for this vulnerability, there are Windows systems out there
that aren’t receiving security fixes from Microsoft anymore. In order to
protect these systems, we have created our own micropatches for this
vulnerability, which are available through the 0patch service.

Our patch prevents memory corruption in a similar way as Microsoft’s. In this rare case, the vulnerable service must be restarted on Windows 10 in order for our patch to get applied because it employs the “arbitrary code execution” exploit mitigation that interferes with our operations. Mind you, Microsoft’s patch requires a computer restart, but 0patch micropatches typically get applied without even relaunching vulnerable processes. This is not the case here, so make sure to restart the MSMQ service.

Let’s see our micropatch in action. With 0patch
disabled, the POC immediately crashes the Microsoft Message Queuing Service. With
0patch enabled, the attack doesn’t work anymore because the invalid packet is detected and blocked by our patch.

Micropatch Availability

The micropatch was written for the following security-adopted versions of Windows with all available Windows Updates installed:

Windows 10 v21H1
Windows 10 v2004
Windows 10 v1909
Windows 10 v1809
Windows 7 (without ESU, with ESU year 1, and with ESU year 2)
Windows Server 2008 R2 (without ESU, with ESU year 1, and with ESU year 2)

 

This
micropatch has already been distributed to, and applied on, all
online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that). 

Vulnerabilities like this one get discovered on a regular basis, and
attackers know about them all. If you’re using Windows that aren’t
receiving official security updates anymore, 0patch will make sure these
vulnerabilities won’t be exploited on your computers – and you won’t
even have to know or care about these things.

If you’re new to 0patch, create a free account
in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

To learn more about 0patch, please visit our Help Center

We’d like to thank Omair from Krash Consulting and zoemurmure for sharing their POCs, which allowed us to
create a micropatch and protect our users against this attack. We also
encourage all security researchers to privately share their analyses
with us
for micropatching.

 

Article Link: 0patch Blog: Micropatches Released For “QueueJumper” Remote Code Execution in Microsoft Message Queuing (CVE-2023-21554)

1 post – 1 participant

Read full topic

About The Author