CVE-2023-36912
📋 TL;DR
This vulnerability in Microsoft Message Queuing (MSMQ) allows attackers to cause a denial of service by sending specially crafted malicious packets. It affects Windows systems with MSMQ enabled, potentially causing service crashes and system instability. Organizations using MSMQ for messaging services are primarily affected.
💻 Affected Systems
- Microsoft Message Queuing (MSMQ)
📦 What is this software?
Windows 10 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of MSMQ, potentially affecting dependent applications and causing system instability requiring reboot.
Likely Case
MSMQ service crashes, interrupting message processing and requiring service restart.
If Mitigated
Minimal impact with proper network segmentation and access controls limiting exposure.
🎯 Exploit Status
Exploitation requires network access to MSMQ service port (typically TCP 1801). No authentication required for the attack.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: July 2023 security updates - KB5028169 and others
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36912
Restart Required: Yes
Instructions:
1. Apply July 2023 Windows security updates via Windows Update. 2. For enterprise environments, deploy patches through WSUS or SCCM. 3. Restart affected systems after patch installation.
🔧 Temporary Workarounds
Disable MSMQ Service
windowsIf MSMQ is not required, disable the service to eliminate the attack surface.
sc config MSMQ start= disabled
sc stop MSMQ
Block MSMQ Ports
windowsBlock network access to MSMQ ports (TCP 1801, UDP 3527, TCP 2103, TCP 2105) at firewall.
netsh advfirewall firewall add rule name="Block MSMQ" dir=in action=block protocol=TCP localport=1801,2103,2105
netsh advfirewall firewall add rule name="Block MSMQ UDP" dir=in action=block protocol=UDP localport=3527
🧯 If You Can't Patch
- Implement strict network segmentation to isolate MSMQ servers from untrusted networks
- Monitor MSMQ service health and restart automatically if crashes occur
🔍 How to Verify
Check if Vulnerable:
Check if MSMQ service is running: sc query MSMQ | findstr "RUNNING". If running and unpatched, system is vulnerable.Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify July 2023 security updates are installed: wmic qfe list | findstr "KB5028169" or check installed updates in Control Panel.📡 Detection & Monitoring
Log Indicators:
- MSMQ service crash events in Windows System logs (Event ID 7031, 7034)
- Unexpected MSMQ service restarts
Network Indicators:
- Unusual traffic patterns to MSMQ port 1801
- Multiple connection attempts to MSMQ from single source
SIEM Query:
EventID=7031 OR EventID=7034 AND ServiceName="MSMQ" | stats count by SourceIP, ServiceName