Critical MSMQ RCE Bug Opens Microsoft Servers to Complete Takeover

Source: SuPatMaN via Shutterstock

Microsoft has issued fixes for a total of 49 vulnerabilities in its Patch Tuesday security update for June, including a critical bug in Microsoft Message Queuing (MSMQ) technology that could open vast swathes of companies to remote code execution (RCE) and server takeover.

The issue (CVE-2024-30080, CVSS score of 9.8 out of 10) is remotely exploitable, with low attack complexity, requires no privileges, and takes no user interaction; and it carries high impacts on confidentiality, integrity, and availability, according to Microsoft. Attackers can use it to completely take over an affected server by sending a specially crafted malicious MSMQ packet. To check vulnerability, confirm users should whether the ‘Message Queuing’ service is running and if TCP port 1801 is open on the system. The bug affects all versions of Windows starting from Windows Server 2008 and Windows 10.

Its impact could be felt in the threat landscape sooner rather than later, so patching quickly is a must: “A couple of quick Shodan searches reveal over a million hosts running with port 1801 open and over 3500 results for 'msmq’,” said Tyler Reguly, associate director security R&D at Fortra, in an emailed statement. “Given this is a remote code execution, I would expect to see this vulnerability included in exploit frameworks in the near future.”

This is the only bug that Microsoft has rated as critical this month, but there are several others in the update that merit prompt attention as well, according to security analysts.

High-Priority Microsoft Bugs for June 2024

Among the high-priority bugs to put at the top of the patching list are: CVE-2024-30103, a remote code execution (RCE) vulnerability in Microsoft Outlook in which the Preview Pane is an attack vector; CVE-2024-30089, a vulnerability in Microsoft Streaming Services that gives attackers a way to gain system level access; CVE-2024-30085, a privilege escalation bug in Windows Cloud Files Mini Filter Driver that Microsoft has identified as more likely to be exploited; and CVE-2024-30099, an elevation-of-privilege (EoP) vulnerability in Windows Kernel Driver that attackers can abuse to take over an affected system.

In all, Microsoft categorized 11 of the 49 vulnerabilities in this month’s update as flaws that threat actors were more likely to exploit because of factors like low attack complexity and the fact that adversaries need no special privileges or user interaction to take advantage of them.

RCE Bugs to Prioritize

This month’s collection of noteworthy RCE bugs include CVE-2024-30101, a use-after-free bug in Microsoft Office that requires active user interaction for an attack to succeed; CVE-2024-30104 in Microsoft Office; and the previously mentioned CVE-2024-30103 in Microsoft Outlook, which an attacker can trigger via the Preview Pane in an email.

The latter is potentially especially dangerous because an attacker can use it to bypass Outlook registry block lists and enable the creation of malicious DLL files.

“This Microsoft Outlook vulnerability can be circulated from user to user, and doesn’t require a click to execute,” Morphisec researchers said in a blog. “Rather, execution initiates when an affected email is opened. This is notably dangerous for accounts using Microsoft Outlook’s auto-open email feature.”

Microsoft itself has assessed the flaw as something that attackers are less likely to exploit.

High Number of Elevation-of-Privilege Bugs

Somewhat unusually, there were more EoP flaws this time around than there were RCE bugs, accounting for nearly half of the CVEs patched.

Satnam Narang, senior staff research engineer at Tenable, pointed to CVE-2024-30089, the bug in Microsoft Streaming Services, as one of the privilege escalation flaws that organizations need to prioritize the most.

“These types of flaws are notoriously useful for cybercriminals seeking to elevate privileges on a compromised system,” Narang said. “When exploited in the wild as a zero-day, they are typically associated with more advanced persistent threat (APT) actors or as part of targeted attacks.”

CVE-2024-30089 is one of two EoP vulnerabilities in Streaming Service that Microsoft disclosed this month. The other is CVE-2024-30090, which also gives attackers a way to gain system-level privileges but is harder to exploit.

In prepared comments, Kev Breen, senior director threat research at Immersive Lab, identified CVE-2024-30085 as another EoP flaw that will likely draw attacker interest. The bug in Windows Cloud Mini Files Driver allows for system level privileges on a local machine.

“This type of privilege-escalation step is frequently seen by threat actors in network compromises, as it can enable the attacker to disable security tools or run credential dumping tools like Mimikatz,” for lateral movement and further compromise, he said. Microsoft’s description of the flaw suggests it is identical to CVE-2023-36036, a zero-day bug in Cloud Files Mini Filter that attackers actively exploited last year, Breen said.

CVE-2024-30099 is another EoP vulnerability that Microsoft has listed in its more category of more exploitable bugs. What makes the bug especially noteworthy is that it exists in the NT OS kernel. The vulnerability allows an attacker that can trigger — and win — a race condition within the kernel to take over an affected system. However, the Windows Message Queuing Service must be enabled for an attacker to be successful.

“This vulnerability should be on everyone’s patch list due to it being so central to the operating system,” said Ben McCarthy, lead cyber security engineer at Immersive Labs, in emailed comments.

There are several other kernel-related EoP vulnerabilities that organizations would do well to prioritize, McCarthy noted. These include CVE-2024-35250, CVE-2024-30084, CVE-2024-30064, CVE-2024-30068, and CVE-2024-35250.

“These sorts of vulnerabilities are often what attackers will try to weaponize after the patch day,” he said. “So, it is always wise to patch kernel-related vulnerabilities because successful exploitation of these vulnerabilities mean they get complete access to a computer’s resources and run as SYSTEM privileges.”

About the Author(s)

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master’s degree in Statistics and lives in Naperville, Ill.