CVE-2023-36590

Q: What is the severity of CVE-2023-36590?

CVE-2023-36590 has a CVSS score of 7.3 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on systems running Microsoft Message Queuing (MSMQ) by sending specially crafted packets. It affects Windows systems with MSMQ enabled, particularly those exposed to untrusted networks. Successful exploitation could lead to complete system compromise.

7.3 HIGH

Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on systems running Microsoft Message Queuing (MSMQ) by sending specially crafted packets. It affects Windows systems with MSMQ enabled, particularly those exposed to untrusted networks. Successful exploitation could lead to complete system compromise.

💻 Affected Systems

Products:

Microsoft Message Queuing (MSMQ)

Versions: Windows Server 2012 R2 through Windows Server 2022, Windows 10 through Windows 11

Operating Systems: Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10, Windows 11

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if MSMQ service is installed and enabled. MSMQ is not installed by default on most Windows systems.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, enabling data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to lateral movement within the network, credential harvesting, and installation of malware.

🟢

If Mitigated

Limited impact due to network segmentation, proper patching, and disabled MSMQ service.

🌐 Internet-Facing: HIGH - MSMQ exposed to internet allows unauthenticated remote attackers to exploit this vulnerability.

🏢 Internal Only: MEDIUM - Requires attacker to have network access to vulnerable systems, but could be exploited through phishing or compromised internal hosts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Microsoft rates this as 'Exploitation More Likely' in their advisory. The vulnerability requires no authentication and has low attack complexity.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: October 2023 security updates (KB5031361 for Windows 11, KB5031362 for Windows 10, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36590

Restart Required: Yes

Instructions:

1. Apply October 2023 security updates from Windows Update. 2. For enterprise environments, deploy patches via WSUS or SCCM. 3. Restart affected systems after patch installation.

🔧 Temporary Workarounds

Disable MSMQ Service

windows

Stop and disable the Microsoft Message Queuing service if not required.

sc stop MSMQ
sc config MSMQ start= disabled

Block MSMQ Ports

windows

Block TCP port 1801 and UDP port 3527 at network perimeter.

netsh advfirewall firewall add rule name="Block MSMQ" dir=in action=block protocol=TCP localport=1801
netsh advfirewall firewall add rule name="Block MSMQ UDP" dir=in action=block protocol=UDP localport=3527

🧯 If You Can't Patch

Disable MSMQ service on all affected systems immediately
Implement strict network segmentation to isolate MSMQ systems from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check if MSMQ service is installed and running: Get-Service MSMQ (PowerShell) or sc query MSMQ (CMD). Check Windows version with winver command.

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify October 2023 security updates are installed: Get-HotFix -Id KB5031361, KB5031362, or relevant KB for your OS version.

📡 Detection & Monitoring

Log Indicators:

Event ID 4688 with MSMQ process creation
Unexpected MSMQ service restarts
Security log events showing failed authentication to MSMQ

Network Indicators:

Unusual traffic on TCP port 1801 or UDP port 3527
MSMQ protocol anomalies in network traffic

SIEM Query:

source="windows" AND (event_id=4688 AND process_name="mqsvc.exe") OR (event_id=7045 AND service_name="MSMQ")

📊 Metadata

CVE ID: CVE-2023-36590

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Published: October 10, 2023

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36590 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36590 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft