CVE-2023-38172

Q: What is the severity of CVE-2023-38172?

CVE-2023-38172 has a CVSS score of 7.5 (HIGH). This vulnerability in Microsoft Message Queuing (MSMQ) allows attackers to cause a denial of service by sending specially crafted packets. Systems running MSMQ service are affected, potentially disrupting message processing and service availability.

7.5 HIGH

Denial of Service

📋 TL;DR

This vulnerability in Microsoft Message Queuing (MSMQ) allows attackers to cause a denial of service by sending specially crafted packets. Systems running MSMQ service are affected, potentially disrupting message processing and service availability.

💻 Affected Systems

Products:

Microsoft Message Queuing (MSMQ)

Versions: All supported versions of Windows Server with MSMQ enabled

Operating Systems: Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ✅ No

Notes: MSMQ is an optional Windows component that must be explicitly installed and enabled to be vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of MSMQ, causing message queue processing to stop and potentially affecting dependent applications.

🟠

Likely Case

Service crashes requiring restart, temporary disruption to message processing capabilities.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring in place.

🌐 Internet-Facing: MEDIUM - MSMQ typically not exposed to internet by default, but misconfigurations could expose it.

🏢 Internal Only: HIGH - MSMQ is commonly used internally for application messaging, making internal networks the primary attack surface.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to MSMQ service port (typically TCP 1801).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply latest Windows security updates from September 2023 or later

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38172

Restart Required: Yes

Instructions:

1. Apply Windows security updates via Windows Update or WSUS. 2. Restart affected systems. 3. Verify MSMQ service is running properly after restart.

🔧 Temporary Workarounds

Disable MSMQ Service

windows

Stop and disable MSMQ service if not required

sc stop MSMQ
sc config MSMQ start= disabled

Block MSMQ Ports

windows

Block network access to MSMQ ports using firewall

netsh advfirewall firewall add rule name="Block MSMQ" dir=in action=block protocol=TCP localport=1801,2103,2105,2107

🧯 If You Can't Patch

Implement network segmentation to restrict access to MSMQ services
Monitor MSMQ service logs for unusual restart patterns or connection attempts

🔍 How to Verify

Check if Vulnerable:

Check if MSMQ service is installed and running: Get-WindowsFeature MSMQ* or sc query MSMQ

Check Version:

Get-WmiObject -Class Win32_Service -Filter "Name='MSMQ'" | Select-Object Name, State, StartMode

Verify Fix Applied:

Verify Windows Update history shows September 2023 security updates installed and MSMQ service version

📡 Detection & Monitoring

Log Indicators:

MSMQ service crashes in Event Viewer (Application logs)
Multiple MSMQ service restarts in short timeframe

Network Indicators:

Unusual traffic patterns to TCP port 1801
Multiple connection attempts to MSMQ from single source

SIEM Query:

EventID=7031 AND ServiceName="MSMQ" OR DestinationPort=1801 AND Protocol="TCP" AND AbnormalTrafficPattern

📊 Metadata

CVE ID: CVE-2023-38172

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-126

Published: August 8, 2023

Last Updated: January 1, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38172 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38172 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable MSMQ Service

Block MSMQ Ports

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities