Vulnerability in Windows Deployment Services allows server hijacking

A protocol implementation error appears to be the cause of this flaw

Network security and ethical hacking specialists recently published a report revealing technical details about a vulnerability that allowed server hijacking and deployment of Windows versions with backdoors installed in Windows Deployment Services.

The vulnerability would affect Windows Server 2008 SP2 and later; it also impacts the Windows Deployment Services component, included in those systems, mention network security experts of the International Institute of Cyber Security.

Windows Deployment Services (WDS) is what enterprise sysadmins use for deploying Windows operating systems in a set of machines from a central location, that is, a Windows Server operating system running WDS.

This is possible by running a Network Boot Program (NBT), which sends pre-boot messages to the pre-run environment of local workstations, the network security experts mention.  

The interaction between the server and the local workstations is done using the TFTP protocol, an earlier version of the FTP protocol.

Subsequent reports of cybersecurity specialists revealed a previous research on how these protocols are implemented in WDS. These reports reveal the main cause of the vulnerability that Microsoft corrected at the end of the year 2018.

These reports claim that it was possible to generate malformed packages to trigger malicious code execution in Windows Server deployments. “It wasn’t a problem with the TFTP protocol, it was a bad implementation issue,” the researchers commented.

Therefore, a local attacker could relay the malformed TFTP packets to take control of the Windows Server deployment. The report mentions that the vulnerability is also exploitable from outside the server, although it is normal to use a LAN.

If hackers could access the server they could take complete control of a local network; in addition, they could also deploy versions with backdoors of a Windows system. So far, neither investigators nor Microsoft have reported any cases of exploiting this vulnerability in the wild, although this could change in the future.

Windows Server deployments users are encouraged to install the update package for November 2018 if they have not already done so, as there are no alternative solutions to mitigate the risk posed by this vulnerability.