During the June Patch Tuesday, Microsoft released updates addressing 49 vulnerabilities, including one particularly critical flaw that could be exploited by a computer worm. This specific vulnerability, designated CVE-2024-30080, affects systems with Microsoft Message Queuing (MSMQ) enabled—a feature not enabled by default.
CVE-2024-30080 allows an unauthenticated attacker to remotely execute code on vulnerable systems. The attack involves sending a specially crafted MSMQ package to an MSMQ server. MSMQ is a messaging protocol that facilitates secure communication between applications running on different servers or processes. Admins and users can enable MSMQ through the Control Panel.
Dustin Childs of the security company ZDI has warned that a computer worm could potentially exploit this vulnerability to automatically spread through servers with MSMQ enabled. Childs notes that while the number of Windows systems with the necessary conditions for exploitation is likely low, organizations should ensure that TCP port 1801, the port used by MSMQ, is not accessible from the Internet.
The updates addressing this vulnerability are available for Windows Server 2008 (R2), Windows Server 2012 (R2), Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10, and Windows 11. Most systems will install these updates automatically.
This vulnerability has received a CVSS rating of 9.8, highlighting its severity. It allows remote, unauthenticated attackers to execute arbitrary code with elevated privileges on systems where MSMQ is enabled. This makes the vulnerability ‘wormable’ among those servers but does not affect systems where MSMQ is disabled. The scenario is reminiscent of the “QueueJumper” vulnerability from the previous year, though the extent of exposure to the internet remains unclear. Nevertheless, auditing networks to ensure TCP port 1801 is inaccessible is highly recommended.
Meanwhile, security researcher @KeyZ3r0, who identified the vulnerability, mentioned on Twitter that this was their first pre-auth use after free RCE vulnerability with a CVSS score of 9.8. They pointed out that while Microsoft patched the issue, the mitigation advice in the advisory might be incorrect, an issue they are attempting to address with MSRC. @KeyZ3r0 hinted at a forthcoming analysis of the vulnerability once the advisory is corrected.
Another notable vulnerability shown in Patch Tuesday was CVE-2024-30078, which affects Windows Wi-Fi drivers and allows for remote code execution. With a CVSS score of 8.8, this vulnerability requires an attacker to be within proximity of the target system to exploit it by sending a malicious networking packet. The vulnerability was discovered by Wei in Kunlun Lab, part of the same research group at Cyber KunLun that identified CVE-2024-30080.
