Full Report
Detect and mitigate CVE-2023-28252, EoP vulnerability exploited in the wild, and CVE-2023-21554, a critical RCE vulnerability. Organizations should patch urgently.
Analysis Summary
# Vulnerability: Critical RCE in MSMQ (QueueJumper) and Exploited EoP in CLFS
## CVE Details
- CVE ID: CVE-2023-21554 (RCE in MSMQ)
- CVE ID: CVE-2023-28252 (EoP in CLFS)
- CVSS Score: Not explicitly stated, but **CVE-2023-21554 is described as "critical."**
- CWE: Not explicitly stated.
## Affected Systems
- Products: Microsoft Windows (All releases up to April Patch Tuesday KBs)
- Versions: All Windows releases prior to the April 2023 security updates.
- Configurations:
- CVE-2023-21554: Systems with the Microsoft Message Queuing (MSMQ) service enabled (often enabled automatically by dependent software like Exchange Server).
- CVE-2023-28252: Any Windows system utilizing the Common Log File System (CLFS).
## Vulnerability Description
**CVE-2023-21554 (QueueJumper):** This is a critical Remote Code Execution (RCE) vulnerability within the Microsoft Message Queuing (MSMQ) service. An unauthenticated attacker can trigger this flaw by sending a single, specially crafted packet to TCP port 1801, allowing them to execute arbitrary code in the context of the `mqsvc.exe` process.
**CVE-2023-28252:** This is an Elevation of Privilege (EoP) vulnerability in the Windows Common Log File System (CLFS), residing in the `clfs.sys` driver. It is an out-of-bounds write that occurs when the system attempts to extend the metadata block during log file creation or extension. Successful exploitation grants the attacker **SYSTEM** privileges.
## Exploitation
- Status:
- CVE-2023-21554: Status not specified, but it is a critical RCE flaw.
- CVE-2023-28252: **Exploited in the wild** by threat actors, specifically linked to the deployment of Nokoyawa ransomware payloads.
- Complexity:
- CVE-2023-21554: Low (Unauthenticated, network accessible via port 1801).
- CVE-2023-28252: Implied low/medium, as it is being actively used for privilege escalation to deploy ransomware.
- Attack Vector:
- CVE-2023-21554: Network (via TCP port 1801).
- CVE-2023-28252: Local (requires prior access or successful initial foothold).
## Impact
| Vulnerability | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| CVE-2023-21554 (RCE) | High | High | High |
| CVE-2023-28252 (EoP) | High (SYSTEM access) | High (SYSTEM access) | High (SYSTEM access) |
## Remediation
### Patches
- Apply the security updates released by Microsoft in the April 2023 Patch Tuesday (April 11).
### Workarounds
For **CVE-2023-21554 (MSMQ RCE)**:
1. Disable the MSMQ service via the Control Panel (Note: This may break applications relying on MSMQ).
2. Block inbound connections to TCP port 1801 from untrusted sources at the network perimeter/firewall.
## Detection
### Indicators of Compromise (IoCs) - Primarily associated with CVE-2023-28252 exploitation:
- **File Artifacts:**
- `C:\Users\Public.container_`
- `C:\Users\Public\MyLog_.blf`
- `C:\Users\Public\p_*`
- **Malware Hashes:**
- CVE-2023-28252 Exploit MD5: `46168ed7dbe33ffc4179974f8bf401aa`
- CobaltStrike Loaders MD5s: `1e4dd35b16ddc59c1ecf240c22b8a4c4`, `f23be19024fcc7c8f885dfa16634e6e7`, `a2313d7fdb2f8f5e5c1962e22b504a17`
- Nokoyawa Ransomware SHA1: `8800e6f1501f69a0a04ce709e9fa251c`
- **Network Traffic (CobaltStrike C2):**
- `vnssinc[.]com`
- `qooqle[.]top`
- `vsexec[.]com`
- `devsetgroup[.]com`
### Detection Methods and Tools
- Use security tools and endpoint detection systems to search for the listed file artifacts or file hashes.
- Monitor for unusual activity involving the `clfs.sys` driver or attempts by lower-privileged processes to manipulate CLFS logging structures (for CVE-2023-28252).
- Monitor network traffic directed at TCP port 1801 (for CVE-2023-21554).
- Cloud environments can leverage tools like specialized threat centers to query for vulnerable instances (e.g., Wiz Threat Center).
## References
- Vendor Advisory (CVE-2023-21554): hXXps://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21554
- Vendor Advisory (CVE-2023-28252): hXXps://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28252
- Research (QueueJumper): hXXps://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/
- Research (Nokoyawa): hXXps://securelist.com/nokoyawa-ransomware-attacks-with-windows-zero-day/109483/