April 2023 Windows Updates brought a fix for CVE-2023-21554, a remote code execution vulnerability in Microsoft Message Queuing Service. The vulnerability, nicknamed "QueueJumper" was reported to Microsoft by Wayne Low of Fortinet's FortiGuard Lab and Haifei Li with Check Point Research.
The first proof-of-concept became available on April 30, when Omair from Krash Consulting published it on GitHub. Another proof-of-concept by zoemurmure became available on May 18. Both of these made it possible for us to create a micropatch for this issue.
The
vulnerability allows a remote unauthenticated attacker to cause memory corruption on a Windows computer running Microsoft Message Queuing Service, which can often be extended to executing arbitrary code on the computer. A detailed technical analysis (in Chinese) was provided by zoemurmure,
Our patch prevents memory corruption in a similar way as Microsoft's. In this rare case, the vulnerable service must be restarted on Windows 10 in order for our patch to get applied because it employs the "arbitrary code execution" exploit mitigation that interferes with our operations. Mind you, Microsoft's patch requires a computer restart, but 0patch micropatches typically get applied without even relaunching vulnerable processes. This is not the case here, so make sure to restart the MSMQ service.
Let's see our micropatch in action. With 0patch
disabled, the POC immediately crashes the Microsoft Message Queuing Service. With
0patch enabled, the attack doesn't work anymore because the invalid packet is detected and blocked by our patch.
Micropatch Availability
The micropatch was written for the following security-adopted versions of Windows with all available Windows Updates installed:
- Windows 10 v21H1
- Windows 10 v2004
- Windows 10 v1909
- Windows 10 v1809
- Windows 7 (without ESU, with ESU year 1, and with ESU year 2)
- Windows Server 2008 R2 (without ESU, with ESU year 1, and with ESU year 2)
Vulnerabilities like this one get discovered on a regular basis, and
attackers know about them all. If you're using Windows that aren't
receiving official security updates anymore, 0patch will make sure these
vulnerabilities won't be exploited on your computers - and you won't
even have to know or care about these things.
If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.
We'd like to thank Omair from Krash Consulting and zoemurmure for sharing their POCs, which allowed us to create a micropatch and protect our users against this attack. We also encourage all security researchers to privately share their analyses with us for micropatching.
No comments:
Post a Comment