CVE-2018-8476

Vulnerability

Windows Deployment Services (WDS) includes a Trivial File Transfer Protocol (TFTP) server that listens on UDP port 69. The vulnerability, CVE-2018-8476, is an integer overflow in the handling of specially crafted TFTP packets containing a large TransferSize value. The overflow occurs during memory allocation for a string buffer, leading to a heap-based buffer overflow. All supported Windows Server versions that include WDS are affected: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows 10 Servers [1]. The code path is reachable by any network client that can send a UDP packet to the TFTP port, and no pre-authentication is required because TFTP is a non-authenticated protocol.

Exploitation

An attacker does not need any authentication or physical access; they only need to be able to send a crafted UDP packet to the WDS TFTP server on port 69 [1]. The research by Check Point describes a two-part attack: first an attacker sends a TFTP Read Request (RRQ) packet that includes a specially large value for the TransferSize option. This triggers the integer overflow in the server's string processing code, resulting in a heap-based buffer overflow. The attacker then sends subsequent TFTP packets that complete the exploitation, overwriting kernel-mode memory (since the WDS TFTP server runs in a kernel-mode driver) to eventually execute arbitrary code [1]. No user interaction or other system configuration beyond exposing the WDS service to the network is required.

Impact

Successful exploitation allows an attacker to achieve remote code execution (RCE) with SYSTEM privileges [1]. Because the WDS TFTP server runs in kernel mode, the attacker gains full control over the target Windows server. This can be used to install malware, modify system files, create new user accounts, or pivot to other systems on the network. The attacker can effectively compromise any new machine that subsequently boots via WDS, as the server is responsible for delivering the operating system image.

Mitigation

Microsoft released a security update for CVE-2018-8476 as part of the November 2018 Patch Tuesday [1]. The update was made available for all affected Windows Server versions. Additionally, as a best practice, administrators should ensure that WDS TFTP services are not exposed to untrusted networks (e.g., by using network segmentation or firewalls to restrict UDP port 69 access to only authorized PXE client subnets). There is no evidence that this CVE has been added to the Known Exploited Vulnerabilities (KEV) catalog as of the current date.