cbcvebase.
CVE-2014-6321
published 2014-11-11

CVE-2014-6321: Schannel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server…

PriorityP186critical10CVSS 2.0
AVNACLAuNCCICAC
ITWVulnCheck KEV
Exploited in the wild
EPSS
95.99%
99.9th percentile
Schannel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via crafted packets, aka "Microsoft Schannel Remote Code Execution Vulnerability."

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2012

Detection & IOCsextracted from sources · hover to see the quote

otherPalo Alto Networks signature 37094
otherPalo Alto Networks signature 37059
processlsass.exe
  • Client-side heap overflow: attacker sends a crafted DTLS HelloVerifyRequest with a CookieSize value larger than 32 bytes, causing a heap overflow in CSsl3TlsClientContext::DigestServerHelloVerifyRequest via memcpy into a fixed heap target (edi+0x270).
  • Exploit does not require an established RDP session — a crafted DTLS packet can be sent to the server pre-authentication to trigger the server-side OOB read.
  • Monitor schannel.dll for crashes or anomalous behaviour in lsass.exe, particularly call stacks involving DTLSCookieManager::ValidateCookie or CSsl3TlsClientContext::DigestServerHelloVerifyRequest.
  • Inspect DTLS ClientHello packets where the CookieLength field value (0x20 / 32) does not match the actual byte length of the cookie payload — mismatched size and content is the crafted attack pattern.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.