CVE-2023-28302
📋 TL;DR
This vulnerability in Microsoft Message Queuing (MSMQ) allows attackers to cause a denial of service by sending specially crafted packets to the service. Systems running MSMQ with the service enabled are affected. The vulnerability requires network access to the MSMQ service port.
💻 Affected Systems
- Microsoft Message Queuing (MSMQ)
📦 What is this software?
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 20h2 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of MSMQ, potentially affecting dependent applications and causing business process interruptions.
Likely Case
MSMQ service crashes or becomes unresponsive, requiring manual restart and causing temporary service disruption.
If Mitigated
Minimal impact with proper network segmentation and monitoring; service may restart automatically depending on configuration.
🎯 Exploit Status
Exploitation requires network access to MSMQ service but no authentication. The vulnerability is in the protocol handling.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: May 2023 security updates or later
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28302
Restart Required: Yes
Instructions:
1. Apply May 2023 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart affected systems after patch installation.
🔧 Temporary Workarounds
Disable MSMQ Service
windowsStop and disable the MSMQ service if not required
sc stop MSMQ
sc config MSMQ start= disabled
Block MSMQ Ports
windowsBlock network access to MSMQ ports (TCP 1801, UDP 3527, TCP 2103, TCP 2105)
netsh advfirewall firewall add rule name="Block MSMQ" dir=in action=block protocol=TCP localport=1801,2103,2105
netsh advfirewall firewall add rule name="Block MSMQ UDP" dir=in action=block protocol=UDP localport=3527
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to MSMQ services
- Monitor MSMQ service health and restart automatically if crashes occur
🔍 How to Verify
Check if Vulnerable:
Check if MSMQ service is running: 'sc query MSMQ' and check Windows version with 'systeminfo'Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify May 2023 updates are installed via 'wmic qfe list' or check Windows Update history📡 Detection & Monitoring
Log Indicators:
- MSMQ service crash events in Windows System logs
- Unexpected MSMQ service restarts
Network Indicators:
- Unusual traffic patterns to MSMQ ports (TCP 1801)
- Multiple connection attempts to MSMQ from single source
SIEM Query:
EventID=7031 OR EventID=7034 AND ServiceName="MSMQ" OR destination_port=1801 AND protocol=TCP