Windows - Security - Mitigate Message Queuing RCE Vulnerabilites

Why would you use the Powershell Mitigate Message Queuing RCE Vulnerability Worklet?

Recently, multiple remote code execution vulnerabilities affecting the Microsoft Message Queuing (MSMQ) service have been released. These vulnerabilities allows an attacker to exploit the service and execute remote code without authorization.

The Powershell-based Mitigate Message Queuing RCE Vulnerability Worklet mitigates these vulnerabilities by disabling the service until the proper patch can be applied. 

How the Mitigate Message Queuing RCE Vulnerability Worklet works

Mitigation refers to a setting, common configuration, or general best practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors might be helpful in your situation:

The Windows message queuing service, which is a Windows component, needs to be enabled for a system to be exploitable by this vulnerability. This feature can be added via the Control Panel.

You can check to see if there is a service running named Message Queuing that is listening on TCP port 1801 on the machine.

EVALUATION

The evaluation code will run through a series of checks to ensure that a device is not exposed to the vulnerability.

STEP 1: EVALUATE THE STATE OF THE MSMQ SERVICE

Evaluate the state of the MSMQ service to ensure that the service is stopped and the service's startup type is set to disabled. If the service is not found, the script run will end as the device is compliant and not eligible for mitigation. If the service is found and not in a stopped and disabled state, the device will be flagged as non-compliant.

STEP 2: CHECK FOR NETWORK ACTIVITY ON PORT 1801

Check for network activity on TCP port 1801. If found, the device will be flagged as non-compliant. If not found, the evaluation checks will continue.

STEP 3: CHECK FOR A WINDOWS FIREWALL BLOCK RULE ON TCP PORT 1801

Ensure that a Windows Firewall Block Rule exists for port 1801. If there is not an active firewall rule enabled for blocking TCP Port 1801, the device will be flagged as non-compliant. If the device is not compliant with ANY of the three checks, it will be flagged for remediation.

REMEDIATION

The remediation code follows Microsoft's recommended mitigation steps by enforcing the following:

STEP 1: STOP THE MSMQ SERVICE AND SET STARTUP TYPE TO DISABLED

Stop the MSMQ service if it's running and set the startup type to disabled.

STEP 2: CREATE A WINDOWS FIREWALL RULE THAT BLOCKS TCP PORT 1801

Create a Windows Firewall Rule named "AUTOMOX WORKLET: Block TCP 1801" that blocks TCP port 1801.

What are the benefits of mitigating MSMQ vulnerabilities?

In today's technology-driven world, message queuing has become a critical component of many communication systems. Microsoft Message Queuing, also known as MSMQ, is a priority-based messaging system that guarantees message delivery in Windows Server and Windows Communication Foundation environments. 

Think of it like an automatic baggage system for your messages. MSMQ manages the messages through a queue manager that can hold messages temporarily offline and even send them over heterogeneous networks using DNS paths. 

With MSMQ, applications ranging from electronic commerce to sales automation benefit from efficient message-based communication. The API functions of MSMQ provide developers the ability to read messages, send messages, hold messages, and more. Of course, as technology evolves and users' needs change, MSMQ has continued to develop new features to stay ahead of the game.

By utilizing this Worklet, the MSMQ service will be disabled to prevent exposure to the vulnerability until the appropriate Microsoft Patch is applied.