CVE-2023-21769
📋 TL;DR
This vulnerability in Microsoft Message Queuing (MSMQ) allows an unauthenticated attacker to send specially crafted packets to an MSMQ server, causing it to crash and resulting in a denial of service. Any system running MSMQ with the vulnerable component is affected, primarily Windows servers with MSMQ enabled.
💻 Affected Systems
- Microsoft Message Queuing (MSMQ)
📦 What is this software?
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 20h2 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of MSMQ functionality, potentially affecting dependent applications and services that rely on message queuing.
Likely Case
MSMQ service crashes, requiring manual restart and causing temporary message processing interruption.
If Mitigated
No impact if MSMQ is disabled or properly firewalled; minimal impact if patched.
🎯 Exploit Status
Microsoft rates this as 'Exploitation More Likely' in their advisory. The vulnerability requires network access to the MSMQ service port (typically TCP 1801).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Security updates released in February 2023 (e.g., KB5022834 for Windows Server 2022)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21769
Restart Required: Yes
Instructions:
1. Apply the latest Windows security updates from Microsoft Update. 2. Restart the system to complete the installation. 3. Verify MSMQ service is running normally after restart.
🔧 Temporary Workarounds
Disable MSMQ Service
windowsStop and disable the MSMQ service if not required for business operations.
sc stop MSMQ
sc config MSMQ start= disabled
Block MSMQ Ports
windowsConfigure firewall rules to block inbound connections to MSMQ ports (TCP 1801, UDP 3527, 1805).
New-NetFirewallRule -DisplayName "Block MSMQ" -Direction Inbound -LocalPort 1801,1805,3527 -Protocol TCP,UDP -Action Block
🧯 If You Can't Patch
- Disable MSMQ service if not essential for operations
- Implement strict network segmentation and firewall rules to restrict access to MSMQ ports
🔍 How to Verify
Check if Vulnerable:
Check if MSMQ service is installed and running: Get-Service MSMQ | Select Status, StartTypeCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows Update history contains the relevant security update and MSMQ service runs without crashing under normal load.📡 Detection & Monitoring
Log Indicators:
- Event ID 7031 in System logs indicating MSMQ service terminated unexpectedly
- Application crashes in Application logs
Network Indicators:
- Unusual traffic patterns to TCP port 1801
- Multiple connection attempts to MSMQ service
SIEM Query:
EventID=7031 AND ServiceName="MSMQ" OR (EventID=1000 AND ProcessName="mqsvc.exe")