CVE-2014-2384 – Invalid Pointer Dereference in VMware Workstation and Player

Vulnerability title: Invalid Pointer Dereference in VMware Workstation
and Player
CVE: CVE-2014-2384
Vendor: VMware
Product: Workstation, Player
Affected version: VMware WorkStation v10.0.1 build-1379776 and VMware
Player v6.0.1 build-1379776
Fixed version: N/A
Reported by: Kyriakos Economou

Details:

The vmx86.sys (32 & 64-bit) kernel mode driver shared by various VMware Windows products such as VMware Workstation and VMWare Player, allows a local attacker to kill the host system through a Blue Screen of Death by sending a specific IOCTL code with a 3 bytes, or larger, input buffer.
The Blue Screen is triggered because the vulnerable function doesn’t check if a pointer to a memory page is valid or not, thus causing a memory access violation by trying to read from an unallocated memory page.

Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2384/

Share