CVE-2023-26509: 
NixOS vulnerability analysis and mitigation

AnyDesk 7.0.8 was found to be vulnerable to a remote Denial of Service attack. The vulnerability, identified as CVE-2023-26509, was discovered and disclosed in February 2023, with the public disclosure occurring on July 3, 2023. This security flaw specifically affects the AnyDesk software version 7.0.8 running on Windows systems (NVD, CVE).

The vulnerability allows attackers to abuse the discovery service located on UDP port 50001 for DRDoS (Distributed Reflected Denial of Service) attacks with an amplification factor of approximately 33. In networks with multiple AnyDesk clients, the amplification factor could be increased further by sending packages to a special multicast IP. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a network-exploitable vulnerability with low attack complexity and no required privileges or user interaction (GitHub Advisory, NVD).

The successful exploitation of this vulnerability can result in a complete denial of service to the affected AnyDesk service. The high CVSS score of 7.5 indicates significant potential impact on system availability, though there are no direct impacts on confidentiality or integrity (NVD).

Users are advised to upgrade from AnyDesk version 7.0.8 to a newer, patched version of the software. The vulnerability has been addressed in subsequent releases (AnyDesk Advisory).