Vulnerabilities > CVE-2014-6317 - Improper Validation of Array Index vulnerability in Microsoft products

CVSS 7.1 - HIGH

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

COMPLETE

network

microsoft

CWE-129

nessus

NVD

Published: 2014-11-11

Updated: 2019-05-15

Summary

Array index error in win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to cause a denial of service (reboot) via a crafted TrueType font, aka "Denial of Service in Windows Kernel Mode Driver Vulnerability."

Vulnerable Configurations

Part	Description	Count
OS	Microsoft Microsoft Windows 7 - Microsoft Windows 8 - Microsoft Windows 8.1 - Microsoft Windows RT - Microsoft Windows RT 8.1 - Microsoft Windows Server 2003 - Microsoft Windows Server 2008 - Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012 - Microsoft Windows Server 2012 R2 Microsoft Windows Vista -	12

Common Weakness Enumeration (CWE)

CWE-129 - Improper Validation of Array Index

Common Attack Pattern Enumeration and Classification (CAPEC)

Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.

Msbulletin

bulletin_id	MS14-079
bulletin_url
date	2014-11-11T00:00:00
impact	Denial of Service
knowledgebase_id	3002885
knowledgebase_url
severity	Moderate
title	Vulnerability in Kernel-Mode Driver Could Allow Denial of Service

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS14-079.NASL
description	The remote Windows host is affected by a denial of service vulnerability due to the Windows kernel-mode driver not properly validating array indexes when loading TrueType font files. An attacker can exploit this vulnerability by convincing a user to open a file or visit a website containing a specially crafted TrueType font file, resulting in a restart of the user
last seen	2020-06-01
modified	2020-06-02
plugin id	79138
published	2014-11-12
reporter	This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/79138
title	MS14-079: Vulnerability in Kernel-Mode Driver Could Allow Denial of Service (3002885)
code	# # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(79138); script_version("1.6"); script_cvs_date("Date: 2018/11/15 20:50:31"); script_cve_id("CVE-2014-6317"); script_bugtraq_id(70949); script_xref(name:"MSFT", value:"MS14-079"); script_xref(name:"MSKB", value:"3002885"); script_name(english:"MS14-079: Vulnerability in Kernel-Mode Driver Could Allow Denial of Service (3002885)"); script_summary(english:"Checks the version of Win32k.sys."); script_set_attribute(attribute:"synopsis", value: "The remote Windows host is affected by denial of service vulnerability."); script_set_attribute(attribute:"description", value: "The remote Windows host is affected by a denial of service vulnerability due to the Windows kernel-mode driver not properly validating array indexes when loading TrueType font files. An attacker can exploit this vulnerability by convincing a user to open a file or visit a website containing a specially crafted TrueType font file, resulting in a restart of the user's system."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-079"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2003, Vista, 2008, 7, 2008 R2, 8, 2012, 8.1, and 2012 R2."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/11/11"); script_set_attribute(attribute:"patch_publication_date", value:"2014/11/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS14-079'; kb = "3002885"; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Windows 8.1 / Windows Server 2012 R2 hotfix_is_vulnerable(os:"6.3", sp:0, file:"Win32k.sys", version:"6.3.9600.17393", min_version:"6.3.9600.16000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Windows 8 / Windows Server 2012 hotfix_is_vulnerable(os:"6.2", sp:0, file:"Win32k.sys", version:"6.2.9200.21250", min_version:"6.2.9200.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.2", sp:0, file:"Win32k.sys", version:"6.2.9200.17133", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Windows 7 / Server 2008 R2 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Win32k.sys", version:"6.1.7601.22831", min_version:"6.1.7601.22000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.1", sp:1, file:"Win32k.sys", version:"6.1.7601.18635", min_version:"6.1.7600.18000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Vista / Windows Server 2008 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Win32k.sys", version:"6.0.6002.23522", min_version:"6.0.6002.23000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:2, file:"Win32k.sys", version:"6.0.6002.19215", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Windows Server 2003 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Win32k.sys", version:"5.2.3790.5448", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Msbulletin

Nessus

References