CVE-2023-36583
📋 TL;DR
This vulnerability in Microsoft Message Queuing (MSMQ) allows remote attackers to execute arbitrary code on affected systems by sending specially crafted packets. It affects Windows systems with MSMQ enabled, particularly those exposed to untrusted networks. Successful exploitation could lead to full system compromise.
💻 Affected Systems
- Microsoft Windows
📦 What is this software?
Windows 10 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with SYSTEM privileges, enabling data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Remote code execution leading to credential harvesting, lateral movement within the network, and installation of malware.
If Mitigated
Limited impact due to network segmentation, proper patching, and disabled MSMQ service where not required.
🎯 Exploit Status
Exploitation requires network access to MSMQ service (TCP port 1801 by default). No authentication is required for the vulnerable component.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: October 2023 security updates
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36583
Restart Required: Yes
Instructions:
1. Apply October 2023 Windows security updates via Windows Update. 2. For enterprise environments, deploy patches through WSUS or SCCM. 3. Restart affected systems after patch installation.
🔧 Temporary Workarounds
Disable MSMQ Service
windowsDisable the Microsoft Message Queuing service if not required for business operations.
sc config MSMQ start= disabled
sc stop MSMQ
Block MSMQ Ports
windowsBlock network access to MSMQ ports (TCP 1801, 2103, 2105, 2107) at firewall.
netsh advfirewall firewall add rule name="Block MSMQ" dir=in action=block protocol=TCP localport=1801,2103,2105,2107
🧯 If You Can't Patch
- Disable MSMQ service on all systems where it's not essential for business operations
- Implement strict network segmentation to isolate MSMQ servers and block external access
🔍 How to Verify
Check if Vulnerable:
Check if MSMQ service is installed and running: Get-Service MSMQ (PowerShell) or sc query MSMQ (CMD). If service exists and is running, system is potentially vulnerable.Check Version:
wmic qfe list brief | findstr /i "October 2023"Verify Fix Applied:
Verify October 2023 security updates are installed via: Get-HotFix -Id KB5031358 (or relevant KB for your OS version). Also verify MSMQ service version matches patched version.📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 with MSMQ process creation
- Unusual network connections to port 1801
- MSMQ service crash logs
Network Indicators:
- Unusual traffic patterns to MSMQ ports (1801, 2103, 2105, 2107)
- Malformed MSMQ protocol packets
SIEM Query:
source="windows" AND (event_id=4688 AND process_name="*msmq*") OR (destination_port=1801 AND protocol="TCP")