Microsoft discloses critical RCE vulnerability – CVE-2023-28250

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Severity level: Critical: Compromise may result in the loss of confidentiality and integrity of data in the first instance.

A critical level vulnerability, tracked as CVE-2023-28250 (CVSSv3 Score 9.8), was disclosed as part of the April 2023 Microsoft Patch Tuesday. The security flaw pertains to a Windows Pragmatic General Multicast (PGM) remote code execution vulnerability.

At the time of writing, CVE-2023-28250 has not been reported to have been exploited in the wild. Further, the Microsoft Message Queueing service must be enabled and listening on TCP port 1801 for any system to be vulnerable to exploit. Even though the Message Queueing service is not installed by default, future exploitation of CVE-2023-28250 is possible.

Impact

Successful exploitation of CVE-2023-28250 allows a threat actor to obtain remote code execution (RCE) capabilities by sending a specially crafted file over the target network.

Vulnerability Detection

A security patch for CVE-2023-28250 has been released by Microsoft. Previous versions of the associated product versions therefore remain vulnerable to potential exploitation.

Affected Products

– Windows Server 2012 R2 (Server Core installation)
– Windows Server 2012 R2
– Windows Server 2012 (Server Core installation)
– Windows Server 2012
– Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
– Windows Server 2008 R2 for x64-based Systems Service Pack 1
– Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
– Windows Server 2008 for x64-based Systems Service Pack 2
– Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
– Windows Server 2008 for 32-bit Systems Service Pack 2
– Windows Server 2016 (Server Core installation)
– Windows Server 2016
– Windows 10 Version 1607 for x64-based Systems
– Windows 10 Version 1607 for 32-bit Systems
– Windows 10 for x64-based Systems
– Windows 10 for 32-bit Systems
– Windows 10 Version 22H2 for 32-bit Systems
– Windows 10 Version 22H2 for ARM64-based Systems
– Windows 10 Version 22H2 for x64-based Systems
– Windows 11 Version 22H2 for x64-based Systems
– Windows 11 Version 22H2 for ARM64-based Systems
– Windows 10 Version 21H2 for x64-based Systems
– Windows 10 Version 21H2 for ARM64-based Systems
– Windows 10 Version 21H2 for 32-bit Systems
– Windows 11 version 21H2 for ARM64-based Systems
– Windows 11 version 21H2 for x64-based Systems
– Windows 10 Version 20H2 for ARM64-based Systems
– Windows 10 Version 20H2 for 32-bit Systems
– Windows 10 Version 20H2 for x64-based Systems
– Windows Server 2022 (Server Core installation)
– Windows Server 2022
– Windows Server 2019 (Server Core installation)
– Windows Server 2019
– Windows 10 Version 1809 for ARM64-based Systems
– Windows 10 Version 1809 for x64-based Systems
– Windows 10 Version 1809 for 32-bit Systems

Containment, Mitigations & Remediations

It is strongly recommended that the associated Microsoft security updates are applied to the affected products as soon as possible.

It is also advised that the Windows Message Queuing service is disabled via the Control Panel. Users can also determine whether or not there is a service running named “Message Queuing” and whether or not TCP port 1801 is listening on the machine.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available at this time.

Threat Landscape

Last month, Microsoft published remediations for 83 security flaws in the March 2023 Patch Tuesday release. Moving into the April disclosure, a leading attack vector continues to be that of RCE (accounting for a combined 45.9% of patched vulnerabilities). The related 45 RCE patches has resulted in a significant increase from the average of 33 per month throughout the previous three-month period.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Tactics:
TA0008– Lateral Movement

Lateral Movement Technique:

T1210– Exploitation of Remote Services

Further Information

Microsoft Advisory