CVE-2024-30080 - Microsoft Message Queuing (MSMQ) Remote Code Execution vulnerability
DCS 6.x
CSP 7.x/8.x
As part of June's patch Tuesday, Microsoft has patched a critical (CVSS score 9.8) Message Queuing (MSMQ) vulnerability CVE-2024-30080. By sending specially crafted malicious MSMQ packets to the vulnerable servers and thus exploiting the vulnerability, the attackers might achieve remote code execution and take over the unpatched server. The reported flaw affects various Windows operating systems starting from Windows Server 2008 and Windows 10.
Symantec protects you from this threat, identified by the following:
Network-based
Web Attack: Microsoft Message Queue CVE-2024-30080
DCS Policy-based Protection
The default hardening sandbox for MSMQ service will protect the Windows servers from exploitation of this vulnerability by blocking the use of LOL binaries for malicious activities, credential dumping and installation of unauthorized malware tools.
Additional Protection
If the Message Queue Service is not used
In order to protect your Windows Server that has the Message Queue Service, where it is not utilized, the DCS IPS Policy can be set to deny that service from running.
To block MSMQ service from running with a DCS Rule that routes the process to the Deny Sandbox.
Rule Details:
Open your DCS Policy, choose Application Rules
Click Add, and select the type of "Application"
Click Next
Enter the following Application Name: Message Queue Service Deny
In the bottom left, Click Add to enter the application details
Program Path: %systemroot%\system32\mqsvc.exe
Click OK, and then Add
You will now be back at the list of Applications
Find the new entry "Message Queue Service Deny" and change the Sandbox option at the right to "Deny Sandbox"
Please save and apply the updated policy to your test machine
Once testing confirms the policy is working as expected, you can apply this updated policy to the other servers.
If the Message Queue Service is used
If Message Queue Service usage is required, you can reduce the attack surface by adding a Global Inbound Network hardening rule to limit the MSMQ incoming connections on port 1801 to only internal trusted sources.