CVE-2024-21363
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on systems running Microsoft Message Queuing (MSMQ) by sending specially crafted packets. It affects Windows systems with MSMQ enabled, particularly those exposed to untrusted networks. Attackers can gain SYSTEM-level privileges on compromised systems.
💻 Affected Systems
- Microsoft Message Queuing (MSMQ)
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 23h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling lateral movement, data exfiltration, ransomware deployment, and persistent backdoor installation.
Likely Case
Initial foothold leading to privilege escalation, credential harvesting, and lateral movement within enterprise networks.
If Mitigated
Limited impact due to network segmentation, strict firewall rules, and disabled MSMQ service on non-essential systems.
🎯 Exploit Status
Microsoft rates this as 'Exploitation More Likely' in their advisory. The vulnerability requires network access to MSMQ service (TCP port 1801 by default).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: February 2024 security updates
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21363
Restart Required: Yes
Instructions:
1. Apply February 2024 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS, SCCM, or Intune. 3. Restart affected systems after patch installation.
🔧 Temporary Workarounds
Disable MSMQ Service
windowsStop and disable the Microsoft Message Queuing service if not required for business operations.
sc stop MSMQ
sc config MSMQ start= disabled
Block MSMQ Ports
windowsBlock inbound traffic to MSMQ ports (TCP 1801, UDP 3527, UDP 1801) at network perimeter.
netsh advfirewall firewall add rule name="Block MSMQ" dir=in action=block protocol=TCP localport=1801
netsh advfirewall firewall add rule name="Block MSMQ UDP" dir=in action=block protocol=UDP localport=1801,3527
🧯 If You Can't Patch
- Implement strict network segmentation to isolate MSMQ servers from untrusted networks
- Deploy host-based firewalls to block inbound MSMQ traffic except from authorized sources
🔍 How to Verify
Check if Vulnerable:
Check if MSMQ service is running: 'sc query MSMQ' or 'Get-Service MSMQ' in PowerShell. If service exists and is running, system is potentially vulnerable.Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify February 2024 security updates are installed via 'systeminfo' command or PowerShell: 'Get-HotFix -Id KB5034765' (example KB, check actual KB for your OS version).📡 Detection & Monitoring
Log Indicators:
- Unusual MSMQ service restarts
- Failed MSMQ authentication attempts from unexpected sources
- Windows Security Event ID 4688 for unexpected process creation
Network Indicators:
- Unusual traffic to TCP port 1801 from external sources
- MSMQ protocol anomalies in network traffic
SIEM Query:
Example: (source_port=1801 OR destination_port=1801) AND (protocol=TCP) AND (bytes_sent>1000000 OR bytes_received>1000000)