MEDIUM: Accessible MSMQ Service Report

DESCRIPTION LAST UPDATED: 2024-06-12

DEFAULT SECURITY LEVEL: MEDIUM

Introduction

This report identifies accessible Microsoft Message Queuing (MSMQ) servers on port 1801/TCP. This service may be optionally enabled on Windows operating systems, including Windows Server 2022 and Windows 11.

According to Microsoft, Microsoft Message Queuing is a message infrastructure and a development platform for creating distributed, loosely-coupled messaging applications for the Microsoft® Windows® operating system. Message Queuing applications can use the Message Queuing infrastructure to communicate across heterogeneous networks and with computers that may be offline. Message Queuing provides guaranteed message delivery, efficient routing, security, transaction support, and priority-based messaging.

On June 11th 2024, Microsoft published information about a critical Remote Code Execution (RCE) vulnerability in MSMQ, which was assigned CVE-2024-30080 (CVSS:3.1 score 9.8/10).

On April 11th 2023, Checkpoint published information about multiple vulnerabilities in the service on Windows which they named QUEUEJUMPER: CRITICAL UNAUTHENTICATED RCE VULNERABILITY IN MSMQ SERVICE.

This includes CVE-2023-21554 (QueueJumper), an unauthenticated remote code execution vulnerability.

These vulnerabilities were patched by Microsoft on the 11th April 2023.

For more details on the background of QueueJumper please read the Checkpoint publication.

How we scan

Please note we do not test for the actual vulnerabilities mentioned, we simply check for the exposure of the MSMQ service.

We scan by sending a request to establish an MSMQ connection.

We do not perform any intrusive checks on a discovered service.

As of 2024-06-11, we identified 256K accessible MSMQ services (reduced from 403K accessible MSMQ services on 2023-04-12).

Dashboard

You can track accessible MSMQ servers on our Dashboard here.

Mitigation

There is no good reason to expose the MSMQ service to the public Internet. If you receive a report from us with an accessible MSMQ service, make sure to block 1801/tcp on your network perimeter immediately (or to trusted sources, if there is a valid business case) and patch.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page.

This report has an IPv4 and IPv6 version.

Filename: population_msmq, population6_msmq

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that response came on (always TCP)
  • port
    Port that the response came from (typically 1801/TCP)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Tag set to msmq
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • sector
    Sector of the device in question
  • response_size
    Size of response to the probe

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","sector","response_size"
"2010-02-10 00:00:00",info,192.168.0.1,tcp,1801,node01.example.com,msmq,64512,ZZ,Region,City,0,,,572
"2010-02-10 00:00:01",info,192.168.0.2,tcp,1801,node02.example.com,msmq,64512,ZZ,Region,City,0,,,572
"2010-02-10 00:00:02",info,192.168.0.3,tcp,1801,node03.example.com,msmq,64512,ZZ,Region,City,0,,,572

Our 132 Report Types

« Back to Network Reporting