CVE-2024-21355
📋 TL;DR
This vulnerability in Microsoft Message Queuing (MSMQ) allows an authenticated attacker to execute code with SYSTEM privileges on affected systems. It affects Windows servers and workstations running MSMQ service. Attackers must have valid credentials and network access to the target system.
💻 Affected Systems
- Microsoft Message Queuing (MSMQ)
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling lateral movement, data exfiltration, and persistent backdoor installation.
Likely Case
Privilege escalation from authenticated user to SYSTEM, allowing installation of malware, credential harvesting, and further network exploitation.
If Mitigated
Limited impact due to network segmentation, strong authentication controls, and MSMQ service disabled on non-essential systems.
🎯 Exploit Status
Requires authenticated access to target system. No public exploit code available as of analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Security updates released in February 2024 Patch Tuesday
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21355
Restart Required: Yes
Instructions:
1. Apply February 2024 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart affected systems after patch installation.
🔧 Temporary Workarounds
Disable MSMQ Service
windowsDisable Microsoft Message Queuing service if not required for business operations
sc config MSMQ start= disabled
sc stop MSMQ
Block MSMQ Ports
windowsnetsh advfirewall firewall add rule name="Block MSMQ" dir=in action=block protocol=TCP localport=1801,2103,2105,3527
netsh advfirewall firewall add rule name="Block MSMQ UDP" dir=in action=block protocol=UDP localport=1801,3527
🧯 If You Can't Patch
- Disable MSMQ service on all non-essential systems
- Implement network segmentation to isolate MSMQ traffic and restrict access to authorized systems only
🔍 How to Verify
Check if Vulnerable:
Check if MSMQ service is running: sc query MSMQ | findstr "RUNNING"Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify February 2024 security updates are installed: wmic qfe list | findstr "KB5034765"📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 with MSMQ process creation
- Unusual MSMQ service restarts
- Failed authentication attempts to MSMQ service
Network Indicators:
- Unusual connections to TCP ports 1801, 2103, 2105, 3527
- MSMQ protocol anomalies
SIEM Query:
source="windows" event_id=4688 process_name="mqsvc.exe" OR process_name="mqsvc.exe"