// For flags

CVE-2014-3802

Microsoft DIA SDK msdia.dll Memory Corruption Vulnerability

Severity Score

6.8
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

msdia.dll in Microsoft Debug Interface Access (DIA) SDK, as distributed in Microsoft Visual Studio before 2013, does not properly validate an unspecified variable before use in calculating a dynamic-call address, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted PDB file.

msdia.dll en Microsoft Debug Interface Access (DIA) SDK, distribuido en Microsoft Visual Studio anterior a 2013, no valida debidamente una variable no especificada antes de utilizarla para calcular una dirección de llamada dinámica, lo que permite a atacantes remotos ejecutar código arbitrario o causar una denegación de servicio (corrupción de memoria) a través de un archivo PDB manipulado.

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Debug Interface Access SDK. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of PDB files. The issue lies in a failure to sanitize a value which is then used in the calculation of an address for a dynamic call. An attacker can leverage this vulnerability to execute code under the context of the current process.

*Credits: 80ceb6400c43bd3fa9f1ef561f7c51d929fe0199
CVSS Scores
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2014-05-14 CVE Published
  • 2014-05-20 CVE Reserved
  • 2024-04-01 EPSS Updated
  • 2024-08-06 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-20: Improper Input Validation
CAPEC
References (2)
URL Tag Source
http://www.securityfocus.com/bid/67398 Third Party Advisory
http://zerodayinitiative.com/advisories/ZDI-14-129 Third Party Advisory
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Microsoft
Search vendor "Microsoft"
 Debug Interface Access Software Development Kit
Search vendor "Microsoft" for product "Debug Interface Access Software Development Kit"
--
Affected
Microsoft
Search vendor "Microsoft"
 Visual Studio
Search vendor "Microsoft" for product "Visual Studio"
 <= 2012
Search vendor "Microsoft" for product "Visual Studio" and version " <= 2012"
-
Affected
Microsoft
Search vendor "Microsoft"
 Visual Studio
Search vendor "Microsoft" for product "Visual Studio"
 2002
Search vendor "Microsoft" for product "Visual Studio" and version "2002"
-
Affected
Microsoft
Search vendor "Microsoft"
 Visual Studio
Search vendor "Microsoft" for product "Visual Studio"
 2003
Search vendor "Microsoft" for product "Visual Studio" and version "2003"
-
Affected
Microsoft
Search vendor "Microsoft"
 Visual Studio
Search vendor "Microsoft" for product "Visual Studio"
 2005
Search vendor "Microsoft" for product "Visual Studio" and version "2005"
-
Affected
Microsoft
Search vendor "Microsoft"
 Visual Studio
Search vendor "Microsoft" for product "Visual Studio"
 2010
Search vendor "Microsoft" for product "Visual Studio" and version "2010"
-
Affected
Microsoft
Search vendor "Microsoft"
 Visual Studio
Search vendor "Microsoft" for product "Visual Studio"
 2010
Search vendor "Microsoft" for product "Visual Studio" and version "2010"
sp1
Affected