CVE-2024-20661
📋 TL;DR
This vulnerability in Microsoft Message Queuing (MSMQ) allows an attacker to send specially crafted malicious packets to cause a denial of service condition. Systems running affected versions of Windows with MSMQ enabled are vulnerable. The vulnerability could cause the MSMQ service to stop responding.
💻 Affected Systems
- Microsoft Message Queuing (MSMQ)
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 23h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of MSMQ functionality, potentially affecting dependent applications and business processes that rely on message queuing.
Likely Case
MSMQ service becomes unresponsive, requiring service restart and causing temporary disruption to message processing.
If Mitigated
Minimal impact with proper network segmentation and access controls limiting who can reach MSMQ endpoints.
🎯 Exploit Status
Microsoft rates this as 'Exploitation More Likely' in their advisory. The vulnerability requires network access to MSMQ endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: January 2024 security updates (KB5034120 for Windows 11, KB5034119 for Windows 10, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20661
Restart Required: Yes
Instructions:
1. Apply January 2024 security updates from Windows Update. 2. Alternatively, download and install the specific KB patch for your Windows version. 3. Restart the system to complete installation.
🔧 Temporary Workarounds
Disable MSMQ Service
windowsStop and disable the MSMQ service if not required for business operations
sc stop MSMQ
sc config MSMQ start= disabled
Block MSMQ Ports
windowsBlock network access to MSMQ ports (TCP 1801, TCP 2103, TCP 2105, UDP 3527, UDP 1801)
netsh advfirewall firewall add rule name="Block MSMQ" dir=in action=block protocol=TCP localport=1801,2103,2105
netsh advfirewall firewall add rule name="Block MSMQ UDP" dir=in action=block protocol=UDP localport=3527,1801
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to MSMQ endpoints only to trusted systems
- Monitor MSMQ service health and restart automatically if service stops responding
🔍 How to Verify
Check if Vulnerable:
Check if MSMQ service is running: 'sc query MSMQ' and check Windows version with 'winver'Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify January 2024 security updates are installed via 'systeminfo' or Settings > Windows Update > Update history📡 Detection & Monitoring
Log Indicators:
- MSMQ service crash events in Windows Event Log (Event ID 7031, 7034)
- Unexpected MSMQ service restarts
- High volume of network traffic to MSMQ ports
Network Indicators:
- Unusual traffic patterns to TCP port 1801, 2103, 2105 or UDP port 3527, 1801
- Multiple connection attempts to MSMQ from single source
SIEM Query:
EventID=7031 OR EventID=7034 AND ServiceName="MSMQ" OR DestinationPort IN (1801, 2103, 2105, 3527) AND Protocol IN ("TCP", "UDP")