Vulnerabilities > CVE-2018-15982 - Use After Free vulnerability in Adobe Flash Player

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
adobe
apple
linux
microsoft
google
redhat
CWE-416
critical
nessus
exploit available

Summary

Flash Player versions 31.0.0.153 and earlier, and 31.0.0.108 and earlier have a use after free vulnerability. Successful exploitation could lead to arbitrary code execution.

Vulnerable Configurations

Part Description Count
Application
Adobe
545
OS
Apple
1
OS
Linux
1
OS
Microsoft
3
OS
Google
1
OS
Redhat
3

Common Weakness Enumeration (CWE)

Exploit-Db

fileexploits/windows/local/46051.txt
idEDB-ID:46051
last seen2018-12-25
modified2018-12-24
platformwindows
port
published2018-12-24
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/46051
titleAdobe Flash ActiveX Plugin 28.0.0.137 - Remote Code Execution (PoC)
typelocal

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS18_NOV_4471331.NASL
    descriptionThe remote Windows host is missing security update KB4471331. It is, therefore, affected by the following vulnerabilities : - An unspecified use-after-free error exists that allows remote code execution. (CVE-2018-15982) - An unspecified insecure library loading error exists that allows privilege escalation. (CVE-2018-15983)
    last seen2020-06-01
    modified2020-06-02
    plugin id119463
    published2018-12-06
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119463
    titleKB4471331: Security update for Adobe Flash Player (December 2018)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(119463);
      script_version("1.8");
      script_cvs_date("Date: 2019/05/21  6:55:12");
    
      script_cve_id("CVE-2018-15982", "CVE-2018-15983");
      script_bugtraq_id(105909);
      script_xref(name:"MSKB", value:"4471331");
      script_xref(name:"MSFT", value:"MS18-4471331");
    
      script_name(english:"KB4471331: Security update for Adobe Flash Player (December 2018)");
      script_summary(english:"Checks the version of the ActiveX control.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host has a browser plugin installed that is
    affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security update KB4471331. It is,
    therefore, affected by the following vulnerabilities :
    
      - An unspecified use-after-free error exists that allows
        remote code execution. (CVE-2018-15982)
    
      - An unspecified insecure library loading error exists
        that allows privilege escalation. (CVE-2018-15983)");
      script_set_attribute(attribute:"see_also", value:"https://helpx.adobe.com/security/products/flash-player/apsb18-42.html");
      # https://support.microsoft.com/en-us/help/4471331/security-update-for-adobe-flash-player
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?eac06564");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released KB4471331 to address this issue."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-15982");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/12/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/06");
    
      script_set_attribute(attribute:"plugin_type",value:"local");
      script_set_attribute(attribute:"cpe",value:"cpe:/a:adobe:flash_player");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_func.inc");
    include("smb_hotfixes.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_activex_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS18-12";
    kbs = make_list('4471331');
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);
    
    productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
    if ("Windows 8" >< productname && "Windows 8.1" >!< productname) audit(AUDIT_OS_SP_NOT_VULN);
    
    if (activex_init() != ACX_OK) audit(AUDIT_FN_FAIL, "activex_init");
    
    # Adobe Flash Player CLSID
    clsid = '{D27CDB6E-AE6D-11cf-96B8-444553540000}';
    
    file = activex_get_filename(clsid:clsid);
    if (isnull(file))
    {
      activex_end();
      audit(AUDIT_FN_FAIL, "activex_get_filename", "NULL");
    }
    if (!file)
    {
      activex_end();
      audit(AUDIT_ACTIVEX_NOT_FOUND, clsid);
    }
    
    # Get its version.
    version = activex_get_fileversion(clsid:clsid);
    if (empty_or_null(version))
    {
      activex_end();
      audit(AUDIT_VER_FAIL, file);
    }
    
    info = '';
    
    iver = split(version, sep:'.', keep:FALSE);
    for (i=0; i<max_index(iver); i++)
     iver[i] = int(iver[i]);
    iver = join(iver, sep:".");
    
    # all <= 31.0.0.153
    fix = FALSE;
    if(ver_compare(ver:iver, fix:"31.0.0.153", strict:FALSE) <= 0)
      fix = "32.0.0.101";
    
    if (
      (report_paranoia > 1 || activex_get_killbit(clsid:clsid) == 0) &&
      fix
    )
    {
      info = '\n  Path              : ' + file +
             '\n  Installed version : ' + version +
             '\n  Fixed version     : ' + fix +
             '\n';
    }
    
    port = kb_smb_transport();
    
    if (info != '')
    {
        if (report_paranoia > 1)
        {
          report = info +
            '\n' +
            'Note, though, that Nessus did not check whether the kill bit was\n' +
            "set for the control's CLSID because of the Report Paranoia setting" + '\n' +
            'in effect when this scan was run.\n';
        }
        else
        {
          report = info +
            '\n' +
            'Moreover, its kill bit is not set so it is accessible via Internet\n' +
            'Explorer.\n';
        }
        replace_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
        hotfix_add_report(bulletin:'MS18-12', kb:'4471331', report);
        security_report_v4(severity:SECURITY_HOLE, port:port, extra:hotfix_get_report());
    }
    else audit(AUDIT_HOST_NOT, 'affected');
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-3795.NASL
    descriptionAn update for flash-plugin is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update upgrades Flash Player to version 32.0.0.101. Security Fix(es) : * flash-plugin: Arbitrary Code Execution vulnerability (APSB18-42) (CVE-2018-15982) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id119489
    published2018-12-07
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119489
    titleRHEL 6 : flash-plugin (RHSA-2018:3795)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2018:3795. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(119489);
      script_version("1.8");
      script_cvs_date("Date: 2019/10/24 15:35:46");
    
      script_cve_id("CVE-2018-15982");
      script_xref(name:"RHSA", value:"2018:3795");
    
      script_name(english:"RHEL 6 : flash-plugin (RHSA-2018:3795)");
      script_summary(english:"Checks the rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for flash-plugin is now available for Red Hat Enterprise
    Linux 6 Supplementary.
    
    Red Hat Product Security has rated this update as having a security
    impact of Critical. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The flash-plugin package contains a Mozilla Firefox compatible Adobe
    Flash Player web browser plug-in.
    
    This update upgrades Flash Player to version 32.0.0.101.
    
    Security Fix(es) :
    
    * flash-plugin: Arbitrary Code Execution vulnerability (APSB18-42)
    (CVE-2018-15982)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, and other related information, refer to the CVE page(s)
    listed in the References section."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://helpx.adobe.com/security/products/flash-player/apsb18-42.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2018:3795"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-15982"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected flash-plugin package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:flash-plugin");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/18");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/12/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/07");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2018:3795";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL6", reference:"flash-plugin-32.0.0.101-1.el6_10")) flag++;
    
      if (flag)
      {
        flash_plugin_caveat = '\n' +
          'NOTE: This vulnerability check only applies to RedHat released\n' +
          'versions of the flash-plugin package. This check does not apply to\n' +
          'Adobe released versions of the flash-plugin package, which are\n' +
          'versioned similarly and cause collisions in detection.\n\n' +
    
          'If you are certain you are running the Adobe released package of\n' +
          'flash-plugin and are running a version of it equal or higher to the\n' +
          'RedHat version listed above then you can consider this a false\n' +
          'positive.\n';
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat() + flash_plugin_caveat
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "flash-plugin");
      }
    }
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_FLASH_PLAYER_APSB18-42.NASL
    descriptionThe version of Adobe Flash Player installed on the remote macOS or Mac OS X host is equal or prior to version 31.0.0.153. It is therefore affected by the following vulnerabilities : - An unspecified use-after-free error exists that allows remote code execution. (CVE-2018-15982) - An unspecified insecure library loading error exists that allows privilege escalation. (CVE-2018-15983)
    last seen2020-06-01
    modified2020-06-02
    plugin id119424
    published2018-12-06
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119424
    titleAdobe Flash Player for Mac <= 31.0.0.153 (APSB18-42)
  • NASL familyWindows
    NASL idFLASH_PLAYER_APSB18-42.NASL
    descriptionThe version of Adobe Flash Player installed on the remote Windows host is equal or prior to version 31.0.0.153. It is therefore affected by the following vulnerabilities : - An unspecified use-after-free error exists that allows remote code execution. (CVE-2018-15982) - An unspecified insecure library loading error exists that allows privilege escalation. (CVE-2018-15983)
    last seen2020-06-01
    modified2020-06-02
    plugin id119462
    published2018-12-06
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119462
    titleAdobe Flash Player <= 31.0.0.153 (APSB18-42)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_49CBE200F92A11E8A89DD43D7EF03AA6.NASL
    descriptionAdobe reports : - This update resolves a use-after-free vulnerability that could lead to arbitrary code execution (CVE-2018-15982). - This update resolves an insecure library loading vulnerability that could lead to privilege escalation (CVE-2018-15983).
    last seen2020-06-01
    modified2020-06-02
    plugin id119481
    published2018-12-07
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119481
    titleFreeBSD : Flash Player -- multiple vulnerabilities (49cbe200-f92a-11e8-a89d-d43d7ef03aa6)

Redhat

advisories
rhsa
idRHSA-2018:3795
rpmsflash-plugin-0:32.0.0.101-1.el6_10

The Hacker News