> The core issue is that `EndpointSessionMapEntry` imposes no limit on the number of sessions. Consequently, an attacker can forge fake client IP addresses and port numbers , repeatedly creating new sessions until system resources are exhausted.
Aren't you just able to flood any DHCP server instead? PXE deployment already hinges on DHCP provision > PXE broadcast > download image > launch, you might as well just exhaust the DHCP server's pool by using all ephemeral addresses or spoofing MAC addresses endlessly.
Additionally, WDS is active only in-LAN and usually only on areas like employee office networks (i.e.: not listening on the servers' subnet, for example, unlike AD services). You'd need lateral movement to an "office LAN" to reach said WDS server.
gruez · 6h ago
How is this different than any other run-of-the-mill DOS attack you can do when you're on a LAN? Even if this vulnerability doesn't exist, there's all sorts of shenanigans you can pull, like mulitcast flooding, or ARP spoofing.
smileybarry · 4h ago
Note the link may prompt Google Account re-auth, strangely it did on my work browser. Opening in incognito side-steps this.
Aren't you just able to flood any DHCP server instead? PXE deployment already hinges on DHCP provision > PXE broadcast > download image > launch, you might as well just exhaust the DHCP server's pool by using all ephemeral addresses or spoofing MAC addresses endlessly.
Additionally, WDS is active only in-LAN and usually only on areas like employee office networks (i.e.: not listening on the servers' subnet, for example, unlike AD services). You'd need lateral movement to an "office LAN" to reach said WDS server.