Windows Servers in danger of being compromised via WDS bug
Checkpoint has released more details about CVE-2018-8476, a critical remote code execution vulnerability affecting all Windows Servers since 2008 SP2.
The bug was responsibly disclosed to Microsoft last year and was fixed last November, but there are likely still servers out there that haven’t been upgraded and are open to attack.
About the vulnerability
CVE-2018-8476 exists in the way that Windows Deployment Services (WDS) TFTP Server handles objects in memory.
WDS is a popular Windows Server service that is used by many organizations to install customized operating systems on new machines in the network.
“The Windows Deployment Services is usually, by its nature, accessible to anyone connected via an LAN port and provides the relevant software. They determine the Operating System as well as the accompanying programs and services for each new network element,” Checkpoint researcher Omer Gull explained.
“With this amount of accessibility, it is natural to consider what would be the ramifications if a malicious actor was able to breach this server and modify it to control the content of every new computer, and equip it with his own proprietary malware.”
The source of the vulnerability was Microsoft’s implementation of the Trivial File Transfer Protocol (TFTP) in WDS. The bug can be triggered remotely through a specially crafted TFTP message and be exploited by an unauthenticated attacker.
Potential for exploitation
Microsoft considers it to be of critical severity and advised on implementing the offered updates, as there are no workarounds that can be used to mitigate the threat.
“Since this bug allows an attacker to take over a system, any other service – DNS, Active Directory, DHCP, etc. – could also be manipulated,” ZDI’s Dustin Childs pointed out when the patch was released, and advised all who run WDS to not miss it.
Given that technical details about the flaw are now public, potential attackers might now have information that could allow them to create a functional exploit and start using it.
So, if you haven’t implemented the provided patch, you would be wise to do so now.