CVE-2024-21405
📋 TL;DR
This vulnerability in Microsoft Message Queuing (MSMQ) allows an authenticated attacker to execute code with SYSTEM privileges on affected systems. It affects Windows servers and workstations running MSMQ. Attackers must have valid credentials and network access to the target system.
💻 Affected Systems
- Microsoft Message Queuing (MSMQ)
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling lateral movement, data theft, and persistent backdoor installation.
Likely Case
Privilege escalation from authenticated user to SYSTEM, allowing installation of malware, credential harvesting, and persistence mechanisms.
If Mitigated
Limited impact due to network segmentation, strong authentication controls, and minimal user privileges.
🎯 Exploit Status
Requires authenticated access to the target system. No public exploit code available as of knowledge cutoff.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: March 2024 security updates
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21405
Restart Required: Yes
Instructions:
1. Apply March 2024 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart affected systems after patch installation.
🔧 Temporary Workarounds
Disable MSMQ Service
windowsStop and disable the Message Queuing service if not required
sc stop MSMQ
sc config MSMQ start= disabled
Remove MSMQ Feature
windowsUninstall the Message Queuing Windows feature
Disable-WindowsOptionalFeature -Online -FeatureName MSMQ-Server (PowerShell)
dism /online /disable-feature /featurename:MSMQ-Server (Command Prompt)
🧯 If You Can't Patch
- Disable MSMQ service on all systems where it's not required
- Implement network segmentation to restrict access to MSMQ ports (TCP 1801, TCP 2103, TCP 2105, UDP 3527)
🔍 How to Verify
Check if Vulnerable:
Check if MSMQ service is running: Get-Service MSMQ (PowerShell) or sc query MSMQ (Command Prompt)Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify March 2024 security updates are installed: Get-HotFix -Id KB5035857 (PowerShell) or wmic qfe list brief (Command Prompt)📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 with MSMQ process creation
- Unusual MSMQ service activity
- Failed authentication attempts to MSMQ
Network Indicators:
- Unusual traffic to MSMQ ports (1801, 2103, 2105, 3527)
- Multiple connection attempts to MSMQ from single source
SIEM Query:
source="windows" AND (process_name="mqsvc.exe" OR service="MSMQ") AND (event_id=4688 OR event_id=7045)