CVE-2023-35309
📋 TL;DR
This vulnerability in Microsoft Message Queuing (MSMQ) allows remote attackers to execute arbitrary code on affected systems by sending specially crafted packets. It affects Windows servers and workstations with MSMQ enabled. Attackers can potentially gain full control of vulnerable systems.
💻 Affected Systems
- Microsoft Message Queuing (MSMQ)
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with administrative privileges, enabling data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Remote code execution leading to system takeover, lateral movement within networks, and data exfiltration.
If Mitigated
Limited impact due to network segmentation, strict firewall rules, and disabled MSMQ service.
🎯 Exploit Status
Microsoft rates this as 'Exploitation More Likely' in their advisory. No authentication required for exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: July 2023 security updates
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35309
Restart Required: Yes
Instructions:
1. Apply July 2023 Windows security updates via Windows Update. 2. For enterprise environments, deploy patches through WSUS or SCCM. 3. Restart affected systems after patching.
🔧 Temporary Workarounds
Disable MSMQ Service
windowsStop and disable the Microsoft Message Queuing service if not required
sc stop MSMQ
sc config MSMQ start= disabled
Block MSMQ Ports
allBlock TCP port 1801 and UDP port 3527 at network perimeter
🧯 If You Can't Patch
- Disable MSMQ service on all systems where it's not essential
- Implement strict network segmentation and firewall rules to block MSMQ traffic (TCP 1801/UDP 3527)
🔍 How to Verify
Check if Vulnerable:
Check if MSMQ service is installed and running: 'sc query MSMQ' or check Windows Features for 'Microsoft Message Queue (MSMQ) Server'Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify July 2023 security updates are installed via 'systeminfo' or Windows Update history📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 with MSMQ process creation
- Unexpected network connections to port 1801
- MSMQ service crash logs
Network Indicators:
- Unusual traffic to TCP port 1801
- Malformed MSMQ packets
- External connections to internal MSMQ services
SIEM Query:
source="windows" event_id=4688 process_name="*msmq*" OR destination_port=1801