On 11 June 2024, Microsoft published their June 2024 security update with patches for 49 vulnerabilities. Among these vulnerabilities, Arctic Wolf is highlighting CVE-2024-30080 as the highest severity vulnerability in this Patch Tuesday release which was categorised as critical. There has not been a proof of concept (PoC) exploit or active exploitation of CVE-2024-30080 identified at this time.
Impacted Product: Windows
Vulnerabilities Impacting Windows:
CVE-2024-30080 | CVSS: 9.8 – Critical
MS Severity: Critical |
No Exploitation Detected |
Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability – A threat actor can exploit this vulnerability by sending a malicious MSMQ packet to a MSMQ server to achieve Remote Code Execution (RCE). |
Recommendations
Recommendation #1: Apply Security Updates to Impacted Products
Arctic Wolf strongly recommends applying the available security updates to all impacted products to prevent potential exploitation.
Note: Please follow your organisations patching and testing guidelines to avoid operational impact.
Product | Vulnerability | Article | Download |
Windows 10 for 32-bit Systems | CVE-2024-30080 | 5039225 | Security Update |
Windows 10 for x64-based Systems | CVE-2024-30080 | 5039225 | Security Update |
Windows 10 Version 1607 for 32-bit Systems | CVE-2024-30080 | 5039214 | Security Update |
Windows 10 Version 1607 for x64-based Systems | CVE-2024-30080 | 5039214 | Security Update |
Windows 10 Version 1809 for 32-bit Systems | CVE-2024-30080 | 5039217 | Security Update |
Windows 10 Version 1809 for ARM64-based Systems | CVE-2024-30080 | 5039217 | Security Update |
Windows 10 Version 1809 for x64-based Systems | CVE-2024-30080 | 5039217 | Security Update |
Windows 10 Version 21H2 for 32-bit Systems | CVE-2024-30080 | 5039211 | Security Update |
Windows 10 Version 21H2 for ARM64-based Systems | CVE-2024-30080 | 5039211 | Security Update |
Windows 10 Version 21H2 for x64-based Systems | CVE-2024-30080 | 5039211 | Security Update |
Windows 10 Version 22H2 for 32-bit Systems | CVE-2024-30080 | 5039211 | Security Update |
Windows 10 Version 22H2 for ARM64-based Systems | CVE-2024-30080 | 5039211 | Security Update |
Windows 10 Version 22H2 for x64-based Systems | CVE-2024-30080 | 5039211 | Security Update |
Windows 11 version 21H2 for ARM64-based Systems | CVE-2024-30080 | 5039213 | Security Update |
Windows 11 version 21H2 for x64-based Systems | CVE-2024-30080 | 5039213 | Security Update |
Windows 11 Version 22H2 for ARM64-based Systems | CVE-2024-30080 | 5039212 | Security Update |
Windows 11 Version 22H2 for x64-based Systems | CVE-2024-30080 | 5039212 | Security Update |
Windows 11 Version 23H2 for ARM64-based Systems | CVE-2024-30080 | 5039212 | Security Update |
Windows 11 Version 23H2 for x64-based Systems | CVE-2024-30080 | 5039212 | Security Update |
Windows Server 2008 for 32-bit Systems Service Pack 2 | CVE-2024-30080 | 5039245, 5039266 | Monthly Rollup, Security Only |
Windows Server 2008 for x64-based Systems Service Pack 2 | CVE-2024-30080 | 5039245, 5039266 | Monthly Rollup, Security Only |
Windows Server 2008 R2 for x64-based Systems Service Pack 1 | CVE-2024-30080 | 5039289, 5039274 | Monthly Rollup, Security Only |
Windows Server 2012 | CVE-2024-30080 | 5039260 | Monthly Rollup |
Windows Server 2012 R2 | CVE-2024-30080 | 5039294 | Monthly Rollup |
Windows Server 2016 | CVE-2024-30080 | 5039214 | Security Update |
Windows Server 2019 | CVE-2024-30080 | 5039217 | Security Update |
Windows Server 2022 | CVE-2024-30080 | 5039227, 5039330 | Security Update, Security Hotpatch Update |
Windows Server 2022, 23H2 Edition | CVE-2024-30080 | 5039236 | Security Update |
Recommendation #2: Disable Message Queuing Service (MSMQ) if not Required
To be vulnerable, CVE-2024-30080 requires the Message Queuing (MSMQ) service to be enabled. Consider disabling MSMQ if the service is not required in your environment to prevent exploitation.
Note: You can check by looking for a service running named “Message Queuing” and for TCP port 1801 listening on the system.
If disabling MSMQ is not feasible, consider blocking inbound connections to TCP port 1801 from suspicious sources.
References