Get in Touch

Get in Touch

Get in Touch

Please get in touch using the form below.

Close form

Home / Threat Intelligence bulletins / Microsoft discloses critical RCE vulnerability - CVE-2023-21554

Title

Microsoft Disclose Critical RCE Vulnerability

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Severity level: Critical: Compromise may result in the loss of confidentiality and integrity of data in the first instance.

A critical level vulnerability, tracked as CVE-2023-21554 (CVSSv3 Score 9.8), was disclosed as part of the April 2023 Microsoft Patch Tuesday. The security flaw pertains to a Microsoft Message Queuing Remote Code Execution vulnerability.

At the time of this writing, CVE-2023-21554 has not been reported to have been exploited in the wild. Further, the Microsoft Message Queueing Service must be enabled and listening on TCP port 1801 for a system to be vulnerable to exploit. Even though the Message Queueing Service is not installed by default, future exploitation of CVE-2023-21554 is possible.

Impact

Successful exploitation of CVE-2023-21554 allows a threat actor to obtain RCE capabilities by sending a specially crafted Microsoft Messaging Queue packet.

Vulnerability Detection

A security patch for CVE-2023-21554 has been released by Microsoft. Previous versions of the associated product versions therefore remain vulnerable to potential exploitation.

Affected Products

  • Windows Server 2012 R2 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2016 (Server Core installation)
  • Windows Server 2016
  • Windows 10 Version 1607 for x64-based Systems
  • Windows 10 Version 1607 for 32-bit Systems
  • Windows 10 for x64-based Systems
  • Windows 10 for 32-bit Systems
  • Windows 10 Version 22H2 for 32-bit Systems
  • Windows 10 Version 22H2 for ARM64-based Systems
  • Windows 10 Version 22H2 for x64-based Systems
  • Windows 11 Version 22H2 for x64-based Systems
  • Windows 11 Version 22H2 for ARM64-based Systems
  • Windows 10 Version 21H2 for x64-based Systems
  • Windows 10 Version 21H2 for ARM64-based Systems
  • Windows 10 Version 21H2 for 32-bit Systems
  • Windows 11 version 21H2 for ARM64-based Systems
  • Windows 11 version 21H2 for x64-based Systems
  • Windows 10 Version 20H2 for ARM64-based Systems
  • Windows 10 Version 20H2 for 32-bit Systems
  • Windows 10 Version 20H2 for x64-based Systems
  • Windows Server 2022 (Server Core installation)
  • Windows Server 2022
  • Windows Server 2019 (Server Core installation)
  • Windows Server 2019
  • Windows 10 Version 1809 for ARM64-based Systems
  • Windows 10 Version 1809 for x64-based Systems
  • Windows 10 Version 1809 for 32-bit Systems

Containment, Mitigations & Remediations

It is strongly recommended that the associated Microsoft security updates are applied to the affected products as soon as possible.

It is also advised that the Windows message queuing service is disabled via the Control Panel. Users can also determine whether or not there is a service running named “Message Queuing” and whether or not TCP port 1801 is listening on the machine.

Indicators of Compromise

No specific Indicators of Compromise (IoC) are available at this time.

Threat Landscape

Last month, Microsoft published remediations for 83 security flaws in the March 2023 Patch Tuesday release. Moving into the April disclosure, a leading attack vector continue to be that of remote code execution (accounting for a combined 45.9% of patched vulnerabilities). The related 45 Remote Code Execution (RCE) patches has resulted in a significant increase from the average of 33 per month throughout the previous 3-month period.

Threat Group

No attribution to specific threat actors or groups have been identified at the time of this writing.

Mitre Methodologies

Tactics: – TA0008 – Lateral Movement

Lateral Movement Technique: – T1210 – Exploitation of Remote Services

Further Information