TCP Dangerous Messaging

Port 5672 (RabbitMQ)

Learn about port 5672 (RabbitMQ) - security risks, vulnerabilities, and common uses. Find devices with port 5672 open.

Quick Info

Port Number

5672

Protocol

TCP

Service

RabbitMQ

IANA Name

RabbitMQ

Service Description

Port 5672 (TCP) is the default port for the Advanced Message Queuing Protocol (AMQP). AMQP is an open standard message protocol used for passing business messages between applications or organizations. It enables disparate systems to communicate asynchronously, allowing for decoupled architectures where senders (producers) and receivers (consumers) don't need to be online simultaneously or even aware of each other's existence. RabbitMQ is the most popular implementation of an AMQP message broker, acting as an intermediary to receive, store, and route messages. Other AMQP brokers exist, but RabbitMQ is by far the dominant player.

At a technical level, the AMQP protocol defines a binary wire protocol for efficient and reliable message transfer. Clients connect to the RabbitMQ broker over TCP port 5672 (or 5671 for TLS-encrypted connections). The protocol defines exchanges, queues, and bindings. Producers send messages to exchanges, which then route the messages to queues based on pre-defined binding rules. Consumers subscribe to queues to receive messages. AMQP supports various message delivery guarantees, including acknowledgments (ACKs) to ensure messages are processed successfully. The protocol also includes features like message persistence, transactionality, and security through authentication and authorization.

## Firewall Recommendations

If RabbitMQ is not intended to be accessed from outside the local network, port 5672 should be blocked by the firewall. If external access is required, it should be strictly controlled using firewall rules to allow only trusted IP addresses or networks. Always use TLS encryption (port 5671) to protect data in transit. Implement strong authentication and authorization mechanisms, avoiding default credentials. Regularly update RabbitMQ and the underlying operating system to patch security vulnerabilities. Implement proper auditing and monitoring to detect suspicious activity. Consider using a VPN for remote access to the RabbitMQ server. Implement rate limiting to prevent denial-of-service attacks. Use network segmentation to isolate the RabbitMQ server from other critical systems.

Security Information

Port 5672, when exposed without proper security measures, presents several significant security risks. If unauthorized access is gained to the RabbitMQ server, attackers can inject malicious messages into queues, potentially disrupting services, injecting code into consuming applications, or extracting sensitive data. Weak or default credentials are a common attack vector, allowing attackers to gain administrative control of the broker. Additionally, vulnerabilities in the RabbitMQ software itself or in the underlying operating system can be exploited. If TLS is not enforced (using port 5671 instead), traffic can be intercepted and sensitive data, including credentials and message content, can be exposed. The lack of proper access controls and auditing makes it difficult to detect and respond to malicious activity.

Known Vulnerabilities

CVE	Name	Severity	Description
CVE-2024-26505	RabbitMQ Erlang Plugin Privilege Escalation	Critical	The Erlang plugin in RabbitMQ versions prior to 3.13.0 allows an attacker with access to a RabbitMQ management UI to gain administrative privileges.
CVE-2023-36052	RabbitMQ Management UI Cross-Site Scripting (XSS)	Medium	The RabbitMQ Management UI in versions before 3.12.0 is vulnerable to reflected cross-site scripting (XSS). An attacker can craft a malicious URL that, when visited by an authenticated user, executes arbitrary JavaScript code in the user's browser.
CVE-2022-29990	RabbitMQ MQTT Plugin Denial of Service	Medium	The MQTT plugin in RabbitMQ versions before 3.9.12 allows a remote attacker to cause a denial-of-service (DoS) by sending specially crafted MQTT packets.
CVE-2019-11355	jQuery before 3.4.0 is vulnerable to Cross-site Scripting (XSS) via the load method	Medium	RabbitMQ management UI uses jQuery. Versions of jQuery prior to 3.4.0 are vulnerable to cross-site scripting (XSS).