CVE-2023-36395
📋 TL;DR
This vulnerability in Windows Deployment Services (WDS) allows attackers to cause a denial of service by sending specially crafted packets to vulnerable servers. It affects organizations using WDS for network-based Windows installations. The vulnerability can crash the WDS service, disrupting deployment operations.
💻 Affected Systems
- Windows Deployment Services
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of Windows deployment services across the network, preventing new system deployments and potentially affecting existing deployment sessions.
Likely Case
Temporary service outage requiring WDS service restart, causing deployment delays and requiring manual intervention.
If Mitigated
Minimal impact with proper network segmentation and access controls limiting exposure to trusted internal hosts only.
🎯 Exploit Status
Microsoft rates this as 'Exploitation More Likely' in their advisory. The vulnerability requires network access to the WDS server but no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply latest Windows security updates for affected Windows Server versions
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36395
Restart Required: Yes
Instructions:
1. Apply the latest Windows security updates from Microsoft Update
2. Restart the Windows Deployment Services server
3. Verify WDS service is running normally after restart
🔧 Temporary Workarounds
Network Segmentation
windowsRestrict network access to WDS servers to only trusted deployment clients and management systems
Use Windows Firewall: New-NetFirewallRule -DisplayName 'Restrict WDS' -Direction Inbound -LocalPort 67,68,69,4011 -Protocol UDP -Action Allow -RemoteAddress TrustedSubnets
Use Windows Firewall: New-NetFirewallRule -DisplayName 'Block WDS' -Direction Inbound -LocalPort 67,68,69,4011 -Protocol UDP -Action Block
Service Hardening
windowsRun WDS with minimal privileges and monitor for service crashes
sc config wdsserver start= delayed-auto
Set service recovery options to restart automatically
🧯 If You Can't Patch
- Implement strict network access controls to limit which systems can communicate with WDS servers
- Monitor WDS service health and implement automated restart procedures for service crashes
🔍 How to Verify
Check if Vulnerable:
Check if Windows Deployment Services role is installed and if system is running an unpatched version of affected Windows ServerCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" && wdsutil /get-server /show:configVerify Fix Applied:
Verify Windows Update history shows the relevant security update installed and WDS service version matches patched version📡 Detection & Monitoring
Log Indicators:
- Event ID 1000 in Application logs showing wdsserver.exe crashes
- Unexpected WDS service stops in System logs
- Increased failed deployment attempts
Network Indicators:
- Unusual traffic patterns to WDS ports (67,68,69,4011 UDP)
- Multiple connection attempts from single source to WDS
SIEM Query:
source="windows" event_id=1000 process_name="wdsserver.exe" OR source="windows" event_id=7036 service_name="Windows Deployment Services"