Critical Flaws Exposed Microsoft Message Queuing Service to DoS Attacks

Researchers at the AI-powered Security solutions provider, FortiGuard Labs, have been monitoring Microsoft Message Queuing (MSMQ) service for the past few months. In an exclusive research report shared with, the company revealed details of multiple security vulnerabilities in the widely used message queuing service.

The vulnerabilities allow remote code execution and denial of service attacks (DoS attacks), mainly impacting Windows-based devices with MSMQ installed.

Vulnerabilities Details

FortiGuard Lab’s research report, authored by Wayne Low and published on July 24, 2023, explains that the vulnerabilities have been categorized as critical. The details of each flaw are as follows:

FG-VD-23-001: Message Queuing Exactly-One-Delivery (EOD) Header Out-of-Bounds Read

The flaw allows out-of-bounds read because of not validating some critical functions, including EodHeader, StreamIdSize, and OrderQueueSize before they are accessed in the message header parser routine (CQmPacket::CQmPacket). 

Researchers agree that this information disclosure exploit is implausible, but attackers can easily achieve a denial of service attack if the out-of-bound read accesses an invalid address. FortiGuard Labs released the MS.Windows.Message.Queuing.Service.CVE-2023-28302.DoS signature to detect this flaw.

FG-VD-23-002: Message Queuing Message Header Out-of-Bounds Write

When the message header parser CQmPacket::CQmPacket doesn’t validate a message header with an arbitrary size, out-of-bound write occurs.

Further probing revealed that some message headers, for instance, EodHeader, EodAckHeader, and CompoundMessageHeader  EodHeader, EodAckHeader, and CompoundMessageHeader, let attackers specify an improperly sanitized arbitrary size/length if the message header parser (that typically adjusts the pointer per each header’s pre-defined data structures) gets adjusted to point to an arbitrary location.

This would be an invalid address and can cause memory corruption if the message header gets dereferenced later in the code. To detect this issue, FortiGuard Labs released the IPS signature MS.Windows.MSMQ.CVE-2023-21554.Remote.Code.Execution.

FG-VD-23-015: Message Queuing Compound Message Header Out-of-bounds Write

This issue occurs due to a manual code audit when the CompoundMessage header fails to run a sanity check on its data structure.

What is MSMQ?

MSMQ is a standalone Windows server hosted under MQSVC.EXE. Microsoft developed this proprietary messaging protocol much on the lines of the open-source RabitMQ so that applications running on different computers can communicate in a failsafe manner.

Messages that cannot reach their destination are placed in a queue and are resent when the destination is reachable. Typical MSMQ packet includes headers like BaseHeader, UserHeader, and MessagePropertiesHeader and may also include TransactionHeader, SecurityHeader, DebugHeader, and SessionHeader.

Fortinet urges customers to immediately identify network assets vulnerable to the above mentioned vulnerabilities and apply patches. The company notified Microsoft about these issues as part of responsible disclosure practice. Microsoft promptly released patches in April and July 2023 security updates.

  1. Check Point: Microsoft the Most Phished Brand in Q2 2023
  2. Microsoft Discloses DDoS Attack Impact with Limited Details
  3. Microsoft Teams Flaw Sends Malware to Employees’ Inboxes
  4. Microsoft sued for alleged misuse of stolen Dark Web credentials
  5. New Phishing Attack Spoofs Microsoft 365 Authentication System
Related Posts