Microsoft confirms serious vulnerability allowing remote network crashes

In early 2024, a significant security vulnerability was discovered in Microsoft's Windows Deployment Services, allowing remote attackers to execute a denial-of-service attack without authentication or user interaction. The researcher, Peng, disclosed this vulnerability to Microsoft on February 8, 2024. After Microsoft confirmed the issue on March 4, they assessed its risk level as moderate, which led to a refusal to issue a patch or provide a bug bounty payment. Peng expressed disappointment over Microsoft's lack of urgency, which led him to publish detailed findings on the vulnerability that potentially poses risks to many enterprise networks heavily reliant on Windows systems. The vulnerability leverages a memory exhaustion technique, exploiting the User Datagram Protocol in WDS. By falsifying client IP addresses and port numbers, an attacker can create numerous sessions, ultimately causing the system to run out of resources and crash. Following this revelation, Microsoft informed Peng that they deemed the issue not severe enough to warrant immediate remediation or bounty action. Consequently, the vulnerability remained unaddressed in the months that followed, leading the researcher to urge the abandonment of WDS until a proper solution is developed by Microsoft. In stark contrast to the vulnerability discovery, Microsoft confirmed multiple critical vulnerabilities in its cloud services around the same timeframe. Among these was a vulnerability rated 10 out of 10 on the Common Vulnerability Scoring System scale. However, crucially, Microsoft claimed that none of these vulnerabilities had been exploited in the wild, and they assured users that no action was required on their part regarding protection, as the issues had already been mitigated internally. Although this seemed to contrast with the situation surrounding WDS, it raised further questions about the consistency and pace of Microsoft's response to different types of vulnerabilities within their extensive portfolio of products. Overall, users and IT professionals were left in a precarious position as one critical vulnerability threatened the stability of enterprise networks while another critical yet already mitigated security flaw highlighted a seemingly effective response from Microsoft regarding cloud services. The disparity in response and responsibility reflects a growing need for accountability and a proactive approach in addressing security vulnerabilities. Until then, users may need to reassess their reliance on WDS as a viable option for network management, especially in light of the myriad risks associated with its vulnerabilities.