CVE-2023-35385 Overview
CVE-2023-35385 is a critical Remote Code Execution vulnerability affecting Microsoft Message Queuing (MSMQ), a messaging protocol that enables applications running on separate servers to communicate in a failsafe manner. This vulnerability allows unauthenticated remote attackers to execute arbitrary code on vulnerable Windows systems where the MSMQ service is enabled, potentially leading to complete system compromise.
Critical Impact
Unauthenticated remote attackers can execute arbitrary code with SYSTEM privileges on Windows systems with MSMQ enabled, requiring no user interaction.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (versions 21H2, 22H2)
- Microsoft Windows Server 2008 (SP2 and R2 SP1)
- Microsoft Windows Server 2012 (including R2)
- Microsoft Windows Server 2016
- Microsoft Windows Server 2019
- Microsoft Windows Server 2022
Discovery Timeline
- August 8, 2023 - CVE-2023-35385 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2023-35385
Vulnerability Analysis
This vulnerability exists within Microsoft Message Queuing (MSMQ), a Windows component that provides asynchronous messaging capabilities for distributed applications. The flaw is classified under CWE-190 (Integer Overflow or Wraparound), indicating that improper handling of integer operations within MSMQ can lead to memory corruption conditions that attackers can exploit.
The vulnerability is particularly dangerous because MSMQ listens on TCP port 1801 by default, and the attack can be executed remotely without any form of authentication or user interaction. When MSMQ processes specially crafted network packets, an integer overflow condition can occur, leading to memory corruption that allows attackers to execute arbitrary code in the context of the MSMQ service, which typically runs with SYSTEM privileges.
Root Cause
The root cause of CVE-2023-35385 is an Integer Overflow vulnerability in the Microsoft Message Queuing service. When processing incoming messages, MSMQ fails to properly validate certain size-related integer values before using them in memory allocation or buffer operations. This allows an attacker to supply values that, when used in arithmetic operations, wrap around to smaller values than expected, resulting in undersized buffer allocations followed by buffer overflow conditions during data processing.
Attack Vector
The attack vector for this vulnerability is network-based, targeting the MSMQ service on TCP port 1801. An attacker can exploit this vulnerability by sending specially crafted MSMQ messages to a vulnerable system. The attack requires:
- The target system must have MSMQ feature enabled (not enabled by default on most Windows installations)
- TCP port 1801 must be accessible from the attacker's network position
- No authentication is required to send malicious messages
The exploitation involves crafting MSMQ protocol messages with integer values designed to trigger the overflow condition. When processed by the vulnerable MSMQ service, these malformed messages cause memory corruption that the attacker can leverage to gain code execution with elevated privileges.
Detection Methods for CVE-2023-35385
Indicators of Compromise
- Unexpected network connections to TCP port 1801 from external or untrusted IP addresses
- Abnormal MSMQ service crashes or restarts (mqsvc.exe)
- Suspicious process spawning from the MSMQ service process
- Memory access violations or crash dumps associated with mqsvc.exe
Detection Strategies
- Monitor network traffic for anomalous MSMQ protocol communications on TCP port 1801
- Deploy endpoint detection solutions to identify exploitation attempts targeting MSMQ
- Analyze Windows Event Logs for MSMQ service failures, crashes, or unexpected behavior
- Use SentinelOne's behavioral AI to detect post-exploitation activities such as privilege escalation or lateral movement
Monitoring Recommendations
- Implement network segmentation to limit exposure of MSMQ services to trusted networks only
- Configure firewall rules to restrict access to TCP port 1801 from untrusted sources
- Enable detailed logging for MSMQ service activities and centralize log collection
- Deploy SentinelOne agents on all systems with MSMQ enabled for real-time threat detection
How to Mitigate CVE-2023-35385
Immediate Actions Required
- Apply the Microsoft security update for CVE-2023-35385 immediately on all affected systems
- If patching is not immediately possible, disable the MSMQ service on systems where it is not required
- Block inbound TCP traffic on port 1801 at the network perimeter and host-based firewalls
- Audit all Windows systems to identify where MSMQ is enabled and assess business necessity
Patch Information
Microsoft has released security updates to address this vulnerability as part of their August 2023 Patch Tuesday release. Administrators should obtain patches from the Microsoft Security Update Guide for CVE-2023-35385. The patches address the integer overflow condition in the MSMQ service by implementing proper validation of integer values before they are used in memory operations.
Organizations should prioritize patching based on system exposure, giving highest priority to internet-facing servers and systems in DMZ environments where MSMQ is enabled.
Workarounds
- Disable the Message Queuing service via Windows Services management console if not required for business operations
- Use Windows Firewall to block incoming connections on TCP port 1801 from untrusted networks
- Implement network segmentation to isolate systems running MSMQ from general network access
- Consider using Group Policy to disable MSMQ Windows Feature across the enterprise on systems where it is not needed
# PowerShell commands to check MSMQ status and disable if not needed
# Check if MSMQ is installed
Get-WindowsFeature -Name MSMQ-Server
# Disable MSMQ service (if not required)
Stop-Service -Name MSMQ -Force
Set-Service -Name MSMQ -StartupType Disabled
# Block MSMQ port via Windows Firewall
New-NetFirewallRule -DisplayName "Block MSMQ Port 1801" -Direction Inbound -Protocol TCP -LocalPort 1801 -Action Block
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
