DCS Protection for CVE-2024-30080 - Microsoft Message Queuing (MSMQ) Remote Code Execution vulnerability
search cancel

DCS Protection for CVE-2024-30080 - Microsoft Message Queuing (MSMQ) Remote Code Execution vulnerability

book

Article ID: 371420

calendar_today

Updated On:

Products

Data Center Security Server Advanced Data Center Security Server Data Center Security Monitoring Edition

Issue/Introduction

CVE-2024-30080 - Microsoft Message Queuing (MSMQ) Remote Code Execution vulnerability

Environment

DCS 6.x
CSP 7.x/8.x

Cause

As part of June's patch Tuesday, Microsoft has patched a critical (CVSS score 9.8) Message Queuing (MSMQ) vulnerability CVE-2024-30080. By sending specially crafted malicious MSMQ packets to the vulnerable servers and thus exploiting the vulnerability, the attackers might achieve remote code execution and take over the unpatched server. The reported flaw affects various Windows operating systems starting from Windows Server 2008 and Windows 10.

Resolution

Symantec protects you from this threat, identified by the following:

Network-based

Web Attack: Microsoft Message Queue CVE-2024-30080

DCS Policy-based Protection
The default hardening sandbox for MSMQ service will protect the Windows servers from exploitation of this vulnerability by blocking the use of LOL binaries for malicious activities, credential dumping and installation of unauthorized malware tools.

Additional Protection

If the Message Queue Service is not used

In order to protect your Windows Server that has the Message Queue Service, where it is not utilized, the DCS IPS Policy can be set to deny that service from running.


To block MSMQ service from running with a DCS Rule that routes the process to the Deny Sandbox.

Rule Details:
Open your DCS Policy, choose Application Rules
Click Add, and select the type of "Application"
Click Next


Enter the following Application Name: Message Queue Service Deny
In the bottom left, Click Add to enter the application details
Program Path: %systemroot%\system32\mqsvc.exe
Click OK, and then Add


You will now be back at the list of Applications
Find the new entry "Message Queue Service Deny" and change the Sandbox option at the right to "Deny Sandbox"


Please save and apply the updated policy to your test machine
Once testing confirms the policy is working as expected, you can apply this updated policy to the other servers. 

 

If the Message Queue Service is used

If Message Queue Service usage is required, you can reduce the attack surface by adding a Global Inbound Network hardening rule to limit the MSMQ incoming connections on port 1801 to only internal trusted sources.