A newly discovered vulnerability in Microsoft\u2019s Windows Deployment Services (WDS) allows attackers to remotely crash servers<\/a> with zero user interaction or authentication.\u00a0<\/p>\n The flaw, which targets the UDP-based TFTP service at the WDS, could allow even low-skilled attackers to paralyze enterprise OS deployment infrastructure in minutes.\u00a0<\/p>\n Notably, the attack leverages unauthenticated, spoofed network traffic, making it both stealthy and difficult to defend against with traditional security controls.<\/p>\n The flaw, which requires no authentication or user interaction (0-click), allows attackers to remotely exhaust system memory by exploiting a design weakness in how WDS handles UDP-based TFTP sessions on port 69.<\/p>\n \u201cThe core issue is that EndpointSessionMapEntry imposes no limit on the number of sessions. Consequently, an attacker can forge fake client IP addresses and port numbers, repeatedly creating new sessions until system resources are exhausted,\u201d Security researcher Zhiniang Peng explains<\/a> in his published analysis.<\/p>\n The vulnerability stems from the WDS TFTP service, which creates a CTftpSession object each time a connection request is received.\u00a0<\/p>\n The function wdstftp!CClientContext::OnConnectionRequest manages this process, as shown in this code snippet:<\/p>\n Since UDP servers cannot verify packet sources, attackers can spoof packets with randomized source addresses and ports, forcing the server to allocate excessive session objects in memory without limitation.<\/p>\n In a test environment running Windows Server Insider Preview with 8GB of RAM, Peng demonstrated that by continuously sending spoofed UDP packets to port 69, memory consumption rapidly increased to 15GB within just 7 minutes, causing the entire system to crash.<\/p>\n The attack technique is surprisingly simple to implement, requiring only basic scripting on a Linux machine<\/a> to generate the spoofed packets.\u00a0<\/p>\n While Peng only published pseudocode to prevent abuse, he noted that \u201cmultithreading could significantly accelerate the attack.\u201d<\/p>\n This vulnerability poses a significant threat to organizations that rely on WDS for network-based OS deployment, as it allows attackers to completely disrupt PXE boot services across an enterprise without requiring any authentication or privileged access.<\/p>\n Windows Deployment Services is widely used in corporate networks, data centers, and educational institutions for streamlined OS deployments, making this vulnerability particularly concerning for IT administrators.<\/p>\n Despite Microsoft\u2019s decision not to issue a patch, Peng argues that \u201cit remains an important DoS vulnerability<\/a>\u201d that can \u201ccrash an entire PXE network in your corporation, paralyzing enterprise deployment systems remotely.\u201d<\/p>\n This vulnerability follows previous WDS-related flaws, including a remote code execution vulnerability (CVE-2019-0603) that was patched in March 2019.<\/p>\n At present, there appears to be no effective mitigation strategy for organizations using Windows Deployment Services other than considering alternative deployment solutions or implementing strict network filtering to limit access to port 69.<\/p>\n Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points \u2013 Free Webinar<\/a><\/strong><\/p>\n The post UDP Vulnerability in Windows Deployment Services Allows 0-Click System Crashes<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nZero-Click WDS TFTP Vulnerability<\/strong><\/h2>\n
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXeXJB8WZ_f4m39r3owwzfZpaHsWMO6e-L9pxrx1LLVZlJ0oGTgkEtZ5lkkV1wmURPeUq1XyeCLGzhWpsQ2h6CNLfjjqylWa9fBMOV5Of-GD-cdLjXbDT11v4IAT2TSX21ycnpPlFg?key=8TQuSg1XNHAaT6P5wkXMlA\")
Proof of Concept\u00a0<\/strong><\/h2>\n