CVE-2024-21357: Windows PGM RCE Vulnerability

CVE-2024-21357 Overview

CVE-2024-21357 is a remote code execution vulnerability in the Windows Pragmatic General Multicast (PGM) protocol implementation. The flaw affects a broad range of Microsoft Windows client and server versions, from Windows 10 1507 through Windows 11 23H2 and from Windows Server 2008 through Windows Server 2022 23H2. Microsoft classifies the issue under [CWE-843] (Access of Resource Using Incompatible Type — Type Confusion). Successful exploitation grants attackers code execution at the privilege level of the vulnerable PGM service over the network.

Critical Impact

Network-adjacent attackers can achieve remote code execution on unpatched Windows systems running the Message Queuing service with PGM enabled, with no authentication required.

Affected Products

• Microsoft Windows 10 (1507, 1607, 1809, 21H1, 22H2) — x86, x64, ARM64
• Microsoft Windows 11 (21H2, 22H2, 23H2) — x64, ARM64
• Microsoft Windows Server 2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, 2022, and 2022 23H2

Discovery Timeline

• 2024-02-13 - CVE-2024-21357 published to NVD
• 2024-02-13 - Microsoft releases security patch via the February 2024 Patch Tuesday update cycle
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-21357

Vulnerability Analysis

Pragmatic General Multicast (PGM) is a reliable multicast transport protocol used by the Windows Message Queuing service (MSMQ) to deliver messages to multiple receivers. The vulnerability resides in the PGM protocol handling logic and is classified as a type confusion issue [CWE-843]. The attack vector is network-based, and the high attack complexity reflects conditions outside the attacker's control that must be met for reliable exploitation. Exploitation can result in compromise of confidentiality, integrity, and availability on the targeted host. The EPSS data indicates this CVE sits in the 95th percentile for predicted exploitation likelihood, signaling elevated attention from threat actors.

Root Cause

The root cause is improper type validation within the PGM protocol parser. When the service processes a crafted PGM packet, code paths interpret a memory object as a type incompatible with its actual layout. This mismatch allows attacker-controlled data to be processed as a different structure, corrupting program state and steering execution toward attacker-supplied content.

Attack Vector

Exploitation requires that the target system run the Windows Message Queuing service and have a PGM-enabled message queue bound to a reachable network interface. The attacker sends specially crafted PGM packets to the listening service. No authentication or user interaction is required. Successful exploitation yields code execution in the context of the MSMQ service. See the Microsoft Security Update Guide entry for CVE-2024-21357 for vendor technical details.

No verified public proof-of-concept code is available for CVE-2024-21357.
Refer to the Microsoft Security Update Guide for vendor-provided technical details.

Detection Methods for CVE-2024-21357

Indicators of Compromise

• Unexpected inbound traffic on UDP/TCP port 3056, the default port used by PGM
• Crashes or restarts of the Message Queuing service (mqsvc.exe) and related event log entries
• Child processes spawned by mqsvc.exe such as cmd.exe, powershell.exe, or rundll32.exe
• Unusual outbound connections originating from the MSMQ service process following inbound PGM traffic

Detection Strategies

• Monitor for the Message Queuing role being enabled on hosts that do not require it, and flag PGM listeners exposed to untrusted networks
• Alert on process lineage where mqsvc.exe spawns shells, scripting engines, or LOLBins
• Inspect network telemetry for anomalous PGM (port 3056) traffic patterns to internal Windows hosts

Monitoring Recommendations

• Enable Windows process creation auditing (Event ID 4688) and centralize logs from Windows servers running MSMQ
• Track Windows Service status changes for the Message Queuing service across the fleet
• Capture and retain NetFlow or full packet metadata for traffic targeting Windows servers exposing MSMQ

How to Mitigate CVE-2024-21357

Immediate Actions Required

• Apply the February 2024 Microsoft security updates that address CVE-2024-21357 across all affected Windows client and server SKUs
• Inventory hosts where the Message Queuing feature is installed and disable it where not operationally required
• Block inbound traffic to TCP/UDP port 3056 at the network perimeter and between untrusted network segments

Patch Information

Microsoft addressed CVE-2024-21357 in its February 2024 Patch Tuesday release. Administrators should consult the Microsoft Security Update Guide for CVE-2024-21357 to identify the correct KB article for each affected operating system version and deploy through Windows Update, WSUS, or the Microsoft Update Catalog.

Workarounds

• Disable the Windows Message Queuing service (MSMQ) on hosts that do not require it: Stop-Service MSMQ; Set-Service MSMQ -StartupType Disabled
• If MSMQ is required, restrict PGM listeners to trusted internal segments using host-based firewall rules and IPsec policies
• Apply network segmentation to ensure that systems running MSMQ are not reachable from untrusted networks or the public internet

# Disable inbound PGM traffic on Windows hosts where MSMQ is not required
New-NetFirewallRule -DisplayName "Block PGM Inbound (CVE-2024-21357)" \
  -Direction Inbound -Protocol TCP -LocalPort 3056 -Action Block
New-NetFirewallRule -DisplayName "Block PGM Inbound UDP (CVE-2024-21357)" \
  -Direction Inbound -Protocol UDP -LocalPort 3056 -Action Block

# Optionally remove the Message Queuing feature entirely
Disable-WindowsOptionalFeature -Online -FeatureName MSMQ-Container -NoRestart