UDP Vulnerability in Windows Deployment Services Allows 0-Click System Crashes
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A newly discovered vulnerability in Microsoft’s Windows Deployment Services (WDS) allows attackers to remotely crash servers with zero user interaction or authentication.
The flaw, which targets the UDP-based TFTP service at the WDS, could allow even low-skilled attackers to paralyze enterprise OS deployment infrastructure in minutes.
Notably, the attack leverages unauthenticated, spoofed network traffic, making it both stealthy and difficult to defend against with traditional security controls.
Zero-Click WDS TFTP Vulnerability
The flaw, which requires no authentication or user interaction (0-click), allows attackers to remotely exhaust system memory by exploiting a design weakness in how WDS handles UDP-based TFTP sessions on port 69.
“The core issue is that EndpointSessionMapEntry imposes no limit on the number of sessions. Consequently, an attacker can forge fake client IP addresses and port numbers, repeatedly creating new sessions until system resources are exhausted,” Security researcher Zhiniang Peng explains in his published analysis.
The vulnerability stems from the WDS TFTP service, which creates a CTftpSession object each time a connection request is received.
The function wdstftp!CClientContext::OnConnectionRequest manages this process, as shown in this code snippet:
Since UDP servers cannot verify packet sources, attackers can spoof packets with randomized source addresses and ports, forcing the server to allocate excessive session objects in memory without limitation.
Proof of Concept
In a test environment running Windows Server Insider Preview with 8GB of RAM, Peng demonstrated that by continuously sending spoofed UDP packets to port 69, memory consumption rapidly increased to 15GB within just 7 minutes, causing the entire system to crash.
The attack technique is surprisingly simple to implement, requiring only basic scripting on a Linux machine to generate the spoofed packets.
While Peng only published pseudocode to prevent abuse, he noted that “multithreading could significantly accelerate the attack.”
This vulnerability poses a significant threat to organizations that rely on WDS for network-based OS deployment, as it allows attackers to completely disrupt PXE boot services across an enterprise without requiring any authentication or privileged access.
Windows Deployment Services is widely used in corporate networks, data centers, and educational institutions for streamlined OS deployments, making this vulnerability particularly concerning for IT administrators.
Despite Microsoft’s decision not to issue a patch, Peng argues that “it remains an important DoS vulnerability” that can “crash an entire PXE network in your corporation, paralyzing enterprise deployment systems remotely.”
This vulnerability follows previous WDS-related flaws, including a remote code execution vulnerability (CVE-2019-0603) that was patched in March 2019.
At present, there appears to be no effective mitigation strategy for organizations using Windows Deployment Services other than considering alternative deployment solutions or implementing strict network filtering to limit access to port 69.
#Cyber_Security #Cyber_Security_News #Vulnerability #Windows #Zero-Click #cyber_security #cyber_security_news #windows
Оригинальная версия на сайте:
UDP Vulnerability in Windows Deployment Services Allows 0-Click System Crashes
Author: KaaviyaA newly discovered vulnerability in Microsoft’s Windows Deployment Services (WDS) allows attackers to remotely crash servers with zero user interaction or authentication.
The flaw, which targets the UDP-based TFTP service at the WDS, could allow even low-skilled attackers to paralyze enterprise OS deployment infrastructure in minutes.
Notably, the attack leverages unauthenticated, spoofed network traffic, making it both stealthy and difficult to defend against with traditional security controls.
Zero-Click WDS TFTP Vulnerability
The flaw, which requires no authentication or user interaction (0-click), allows attackers to remotely exhaust system memory by exploiting a design weakness in how WDS handles UDP-based TFTP sessions on port 69.
“The core issue is that EndpointSessionMapEntry imposes no limit on the number of sessions. Consequently, an attacker can forge fake client IP addresses and port numbers, repeatedly creating new sessions until system resources are exhausted,” Security researcher Zhiniang Peng explains in his published analysis.
The vulnerability stems from the WDS TFTP service, which creates a CTftpSession object each time a connection request is received.
The function wdstftp!CClientContext::OnConnectionRequest manages this process, as shown in this code snippet:
Since UDP servers cannot verify packet sources, attackers can spoof packets with randomized source addresses and ports, forcing the server to allocate excessive session objects in memory without limitation.
Proof of Concept
In a test environment running Windows Server Insider Preview with 8GB of RAM, Peng demonstrated that by continuously sending spoofed UDP packets to port 69, memory consumption rapidly increased to 15GB within just 7 minutes, causing the entire system to crash.
The attack technique is surprisingly simple to implement, requiring only basic scripting on a Linux machine to generate the spoofed packets.
While Peng only published pseudocode to prevent abuse, he noted that “multithreading could significantly accelerate the attack.”
This vulnerability poses a significant threat to organizations that rely on WDS for network-based OS deployment, as it allows attackers to completely disrupt PXE boot services across an enterprise without requiring any authentication or privileged access.
Windows Deployment Services is widely used in corporate networks, data centers, and educational institutions for streamlined OS deployments, making this vulnerability particularly concerning for IT administrators.
Despite Microsoft’s decision not to issue a patch, Peng argues that “it remains an important DoS vulnerability” that can “crash an entire PXE network in your corporation, paralyzing enterprise deployment systems remotely.”
This vulnerability follows previous WDS-related flaws, including a remote code execution vulnerability (CVE-2019-0603) that was patched in March 2019.
At present, there appears to be no effective mitigation strategy for organizations using Windows Deployment Services other than considering alternative deployment solutions or implementing strict network filtering to limit access to port 69.
#Cyber_Security #Cyber_Security_News #Vulnerability #Windows #Zero-Click #cyber_security #cyber_security_news #windows
Оригинальная версия на сайте:
