Vulnerabilities > CVE-2016-4287 - Integer Overflow or Wraparound vulnerability in Adobe Flash Player

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
adobe
CWE-190
nessus

Summary

Integer overflow in Adobe Flash Player before 18.0.0.375 and 19.x through 23.x before 23.0.0.162 on Windows and OS X and before 11.2.202.635 on Linux allows attackers to execute arbitrary code via unspecified vectors.

Vulnerable Configurations

Part Description Count
Application
Adobe
275
OS
Linux
1
OS
Microsoft
3
OS
Apple
1
OS
Google
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS16-117.NASL
    descriptionThe remote Windows host is missing KB3188128. It is, therefore, affected by multiple vulnerabilities : - Multiple security bypass vulnerabilities exist that allow an unauthenticated, remote attacker to disclose sensitive information. (CVE-2016-4271, CVE-2016-4277, CVE-2016-4278) - Multiple use-after-free errors exist that allow an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-4272, CVE-2016-4279, CVE-2016-6921, CVE-2016-6923, CVE-2016-6925, CVE-2016-6926, CVE-2016-6927, CVE-2016-6929, CVE-2016-6930, CVE-2016-6931, CVE-2016-6932) - Multiple memory corruption issues exist that allow an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-4274, CVE-2016-4275, CVE-2016-4276, CVE-2016-4280, CVE-2016-4281, CVE-2016-4282, CVE-2016-4283, CVE-2016-4284, CVE-2016-4285, CVE-2016-6922, CVE-2016-6924) - An integer overflow condition exists that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-4287) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id93475
    published2016-09-13
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93475
    titleMS16-117: Security Update for Adobe Flash Player (3188128)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(93475);
      script_version("1.15");
      script_cvs_date("Date: 2019/11/14");
    
      script_cve_id(
        "CVE-2016-4271",
        "CVE-2016-4272",
        "CVE-2016-4274",
        "CVE-2016-4275",
        "CVE-2016-4276",
        "CVE-2016-4277",
        "CVE-2016-4278",
        "CVE-2016-4279",
        "CVE-2016-4280",
        "CVE-2016-4281",
        "CVE-2016-4282",
        "CVE-2016-4283",
        "CVE-2016-4284",
        "CVE-2016-4285",
        "CVE-2016-4287",
        "CVE-2016-6921",
        "CVE-2016-6922",
        "CVE-2016-6923",
        "CVE-2016-6924",
        "CVE-2016-6925",
        "CVE-2016-6926",
        "CVE-2016-6927",
        "CVE-2016-6929",
        "CVE-2016-6930",
        "CVE-2016-6931",
        "CVE-2016-6932"
      );
      script_xref(name:"MSFT", value:"MS16-117");
      script_xref(name:"MSKB", value:"3188128");
    
      script_name(english:"MS16-117: Security Update for Adobe Flash Player (3188128)");
      script_summary(english:"Checks the version of the ActiveX control.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host has a browser plugin installed that is
    affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing KB3188128. It is, therefore,
    affected by multiple vulnerabilities :
    
      - Multiple security bypass vulnerabilities exist that
        allow an unauthenticated, remote attacker to disclose
        sensitive information. (CVE-2016-4271, CVE-2016-4277,
        CVE-2016-4278)
    
      - Multiple use-after-free errors exist that allow an
        unauthenticated, remote attacker to execute arbitrary
        code. (CVE-2016-4272, CVE-2016-4279, CVE-2016-6921,
        CVE-2016-6923, CVE-2016-6925, CVE-2016-6926,
        CVE-2016-6927, CVE-2016-6929, CVE-2016-6930,
        CVE-2016-6931, CVE-2016-6932)
    
      - Multiple memory corruption issues exist that allow an
        unauthenticated, remote attacker to execute arbitrary
        code. (CVE-2016-4274, CVE-2016-4275, CVE-2016-4276,
        CVE-2016-4280, CVE-2016-4281, CVE-2016-4282,
        CVE-2016-4283, CVE-2016-4284, CVE-2016-4285,
        CVE-2016-6922, CVE-2016-6924)
    
      - An integer overflow condition exists that allows an
        unauthenticated, remote attacker to execute arbitrary
        code. (CVE-2016-4287)
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-117");
      script_set_attribute(attribute:"see_also", value:"https://helpx.adobe.com/security/products/flash-player/apsb16-29.html");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for Windows 2012, 8.1, RT 8.1,
    2012 R2, and 10.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-6932");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/09/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/13");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:flash_player");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_func.inc");
    include("smb_hotfixes.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_activex_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS16-117";
    kbs = make_list("3188128");
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);
    
    productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
    if ("Windows 8" >< productname && "Windows 8.1" >!< productname) audit(AUDIT_OS_SP_NOT_VULN);
    
    if (activex_init() != ACX_OK) audit(AUDIT_FN_FAIL, "activex_init()");
    
    # Adobe Flash Player CLSID
    clsid = '{D27CDB6E-AE6D-11cf-96B8-444553540000}';
    
    file = activex_get_filename(clsid:clsid);
    if (isnull(file))
    {
      activex_end();
      audit(AUDIT_FN_FAIL, "activex_get_filename", "NULL");
    }
    if (!file)
    {
      activex_end();
      audit(AUDIT_ACTIVEX_NOT_FOUND, clsid);
    }
    
    # Get its version.
    version = activex_get_fileversion(clsid:clsid);
    if (!version)
    {
      activex_end();
      audit(AUDIT_VER_FAIL, file);
    }
    
    info = '';
    
    iver = split(version, sep:'.', keep:FALSE);
    for (i=0; i<max_index(iver); i++)
     iver[i] = int(iver[i]);
    iver = join(iver, sep:".");
    
    # all <= 18.0.0.375 or 19 <= 23.0.0.162
    fix = FALSE;
    if(iver =~ "^(19|2[01])\." && ver_compare(ver:iver, fix:"23.0.0.162", strict:FALSE) == -1)
      fix = "23.0.0.162";
    else if(ver_compare(ver:iver, fix:"18.0.0.375", strict:FALSE) <= 0)
      fix = "18.0.0.375";
    
    if (
      (report_paranoia > 1 || activex_get_killbit(clsid:clsid) == 0) &&
      fix
    )
    {
      info = '\n  Path              : ' + file +
             '\n  Installed version : ' + version +
             '\n  Fixed version     : ' + fix +
             '\n';
    }
    
    port = kb_smb_transport();
    
    if (info != '')
    {
      if (report_paranoia > 1)
      {
        report = info +
          '\n' +
          'Note, though, that Nessus did not check whether the kill bit was\n' +
          "set for the control's CLSID because of the Report Paranoia setting" + '\n' +
          'in effect when this scan was run.\n';
      }
      else
      {
        report = info +
          '\n' +
          'Moreover, its kill bit is not set so it is accessible via Internet\n' +
          'Explorer.\n';
      }
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_add_report(bulletin:'MS16-117', kb:'3188128', report);
      security_report_v4(severity:SECURITY_HOLE, port:port, extra:hotfix_get_report());
    }
    else audit(AUDIT_HOST_NOT, 'affected');
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201610-10.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201610-10 (Adobe Flash Player: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Adobe Flash Player. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, or bypass security restrictions. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id94421
    published2016-10-31
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94421
    titleGLSA-201610-10 : Adobe Flash Player: Multiple vulnerabilities
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_FLASH_PLAYER_APSB16-29.NASL
    descriptionThe version of Adobe Flash Player installed on the remote Mac OS X host is equal or prior to version 22.0.0.211. It is, therefore, affected by multiple vulnerabilities : - Multiple security bypass vulnerabilities exist that allow an unauthenticated, remote attacker to disclose sensitive information. (CVE-2016-4271, CVE-2016-4277, CVE-2016-4278) - Multiple use-after-free errors exist that allow an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-4272, CVE-2016-4279, CVE-2016-6921, CVE-2016-6923, CVE-2016-6925, CVE-2016-6926, CVE-2016-6927, CVE-2016-6929, CVE-2016-6930, CVE-2016-6931, CVE-2016-6932) - Multiple memory corruption issues exist that allow an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-4274, CVE-2016-4275, CVE-2016-4276, CVE-2016-4280, CVE-2016-4281, CVE-2016-4282, CVE-2016-4283, CVE-2016-4284, CVE-2016-4285, CVE-2016-6922, CVE-2016-6924) - An integer overflow condition exists that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-4287)
    last seen2020-06-01
    modified2020-06-02
    plugin id93462
    published2016-09-13
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93462
    titleAdobe Flash Player for Mac <= 22.0.0.211 Multiple Vulnerabilities (APSB16-29)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-2312-1.NASL
    descriptionThis update for flash-player fixes the following security issues (APSB16-29, boo#998589) : - integer overflow vulnerability that could lead to code execution (CVE-2016-4287). - use-after-free vulnerabilities that could lead to code execution (CVE-2016-4272, CVE-2016-4279, CVE-2016-6921, CVE-2016-6923, CVE-2016-6925, CVE-2016-6926, CVE-2016-6927, CVE-2016-6929, CVE-2016-6930, CVE-2016-6931, CVE-2016-6932) - security bypass vulnerabilities that could lead to information disclosure (CVE-2016-4271, CVE-2016-4277, CVE-2016-4278) - memory corruption vulnerabilities that could lead to code execution (CVE-2016-4182, CVE-2016-4237, CVE-2016-4238, CVE-2016-4274, CVE-2016-4275, CVE-2016-4276, CVE-2016-4280, CVE-2016-4281, CVE-2016-4282, CVE-2016-4283, CVE-2016-4284, CVE-2016-4285, CVE-2016-6922, CVE-2016-6924) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id93558
    published2016-09-16
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93558
    titleSUSE SLED12 Security Update : flash-player (SUSE-SU-2016:2312-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-1865.NASL
    descriptionAn update for flash-plugin is now available for Red Hat Enterprise Linux 5 Supplementary and Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update upgrades Flash Player to version 11.2.202.635. Security Fix(es) : * This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities, detailed in the Adobe Security Bulletin listed in the References section, could allow an attacker to create a specially crafted SWF file that would cause flash-plugin to crash, execute arbitrary code, or disclose sensitive information when the victim loaded a page containing the malicious SWF content. (CVE-2016-4271, CVE-2016-4272, CVE-2016-4274, CVE-2016-4275, CVE-2016-4276, CVE-2016-4277, CVE-2016-4278, CVE-2016-4279, CVE-2016-4280, CVE-2016-4281, CVE-2016-4282, CVE-2016-4283, CVE-2016-4284, CVE-2016-4285, CVE-2016-4287, CVE-2016-6921, CVE-2016-6922, CVE-2016-6923, CVE-2016-6924, CVE-2016-6925, CVE-2016-6926, CVE-2016-6927, CVE-2016-6929, CVE-2016-6930, CVE-2016-6931, CVE-2016-6932)
    last seen2020-06-01
    modified2020-06-02
    plugin id93503
    published2016-09-15
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93503
    titleRHEL 5 / 6 : flash-plugin (RHSA-2016:1865)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1083.NASL
    descriptionThis update for flash-player fixes the following security issues (APSB16-29, boo#998589) : - integer overflow vulnerability that could lead to code execution (CVE-2016-4287). - use-after-free vulnerabilities that could lead to code execution (CVE-2016-4272, CVE-2016-4279, CVE-2016-6921, CVE-2016-6923, CVE-2016-6925, CVE-2016-6926, CVE-2016-6927, CVE-2016-6929, CVE-2016-6930, CVE-2016-6931, CVE-2016-6932) - security bypass vulnerabilities that could lead to information disclosure (CVE-2016-4271, CVE-2016-4277, CVE-2016-4278) - memory corruption vulnerabilities that could lead to code execution (CVE-2016-4182, CVE-2016-4237, CVE-2016-4238, CVE-2016-4274, CVE-2016-4275, CVE-2016-4276, CVE-2016-4280, CVE-2016-4281, CVE-2016-4282, CVE-2016-4283, CVE-2016-4284, CVE-2016-4285, CVE-2016-6922, CVE-2016-6924) The package description was update to reflex that the stand-alone Flash is no longer provided on x86_64 architectures (boo#977664).
    last seen2020-06-05
    modified2016-09-16
    plugin id93553
    published2016-09-16
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93553
    titleopenSUSE Security Update : flash-player (openSUSE-2016-1083)
  • NASL familyWindows
    NASL idFLASH_PLAYER_APSB16-29.NASL
    descriptionThe version of Adobe Flash Player installed on the remote Windows host is equal or prior to version 22.0.0.211. It is, therefore, affected by multiple vulnerabilities : - Multiple security bypass vulnerabilities exist that allow an unauthenticated, remote attacker to disclose sensitive information. (CVE-2016-4271, CVE-2016-4277, CVE-2016-4278) - Multiple use-after-free errors exist that allow an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-4272, CVE-2016-4279, CVE-2016-6921, CVE-2016-6923, CVE-2016-6925, CVE-2016-6926, CVE-2016-6927, CVE-2016-6929, CVE-2016-6930, CVE-2016-6931, CVE-2016-6932) - Multiple memory corruption issues exist that allow an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-4274, CVE-2016-4275, CVE-2016-4276, CVE-2016-4280, CVE-2016-4281, CVE-2016-4282, CVE-2016-4283, CVE-2016-4284, CVE-2016-4285, CVE-2016-6922, CVE-2016-6924) - An integer overflow condition exists that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-4287)
    last seen2020-06-01
    modified2020-06-02
    plugin id93461
    published2016-09-13
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93461
    titleAdobe Flash Player <= 22.0.0.211 Multiple Vulnerabilities (APSB16-29)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1123.NASL
    descriptionThis update for flash-player fixes the following security issues (APSB16-29, boo#998589) : - integer overflow vulnerability that could lead to code execution (CVE-2016-4287). - use-after-free vulnerabilities that could lead to code execution (CVE-2016-4272, CVE-2016-4279, CVE-2016-6921, CVE-2016-6923, CVE-2016-6925, CVE-2016-6926, CVE-2016-6927, CVE-2016-6929, CVE-2016-6930, CVE-2016-6931, CVE-2016-6932) - security bypass vulnerabilities that could lead to information disclosure (CVE-2016-4271, CVE-2016-4277, CVE-2016-4278) - memory corruption vulnerabilities that could lead to code execution (CVE-2016-4182, CVE-2016-4237, CVE-2016-4238, CVE-2016-4274, CVE-2016-4275, CVE-2016-4276, CVE-2016-4280, CVE-2016-4281, CVE-2016-4282, CVE-2016-4283, CVE-2016-4284, CVE-2016-4285, CVE-2016-6922, CVE-2016-6924) The package description was update to reflex that the stand-alone Flash is no longer provided on x86_64 architectures (boo#977664).
    last seen2020-06-05
    modified2016-09-27
    plugin id93731
    published2016-09-27
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93731
    titleopenSUSE Security Update : flash-player (openSUSE-2016-1123)

Redhat

advisories
rhsa
idRHSA-2016:1865
rpms
  • flash-plugin-0:11.2.202.635-1.el5_11
  • flash-plugin-0:11.2.202.635-1.el6_8