> The core issue is that `EndpointSessionMapEntry` imposes no limit on the number of sessions. Consequently, an attacker can forge fake client IP addresses and port numbers , repeatedly creating new sessions until system resources are exhausted.<p>Aren't you just able to flood any DHCP server instead? PXE deployment already hinges on DHCP provision > PXE broadcast > download image > launch, you might as well just exhaust the DHCP server's pool by using all ephemeral addresses or spoofing MAC addresses endlessly.<p>Additionally, WDS is active only in-LAN and usually only on areas like employee office networks (i.e.: not listening on the servers' subnet, for example, unlike AD services). You'd need lateral movement to an "office LAN" to reach said WDS server.
How is this different than any other run-of-the-mill DOS attack you can do when you're on a LAN? Even if this vulnerability doesn't exist, there's all sorts of shenanigans you can pull, like mulitcast flooding, or ARP spoofing.