Vulnerabilities > CVE-2018-15982 - Use After Free vulnerability in Adobe Flash Player
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Flash Player versions 31.0.0.153 and earlier, and 31.0.0.108 and earlier have a use after free vulnerability. Successful exploitation could lead to arbitrary code execution.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
| file | exploits/windows/local/46051.txt |
| id | EDB-ID:46051 |
| last seen | 2018-12-25 |
| modified | 2018-12-24 |
| platform | windows |
| port | |
| published | 2018-12-24 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/46051 |
| title | Adobe Flash ActiveX Plugin 28.0.0.137 - Remote Code Execution (PoC) |
| type | local |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS18_NOV_4471331.NASL description The remote Windows host is missing security update KB4471331. It is, therefore, affected by the following vulnerabilities : - An unspecified use-after-free error exists that allows remote code execution. (CVE-2018-15982) - An unspecified insecure library loading error exists that allows privilege escalation. (CVE-2018-15983) last seen 2020-06-01 modified 2020-06-02 plugin id 119463 published 2018-12-06 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119463 title KB4471331: Security update for Adobe Flash Player (December 2018) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(119463); script_version("1.8"); script_cvs_date("Date: 2019/05/21 6:55:12"); script_cve_id("CVE-2018-15982", "CVE-2018-15983"); script_bugtraq_id(105909); script_xref(name:"MSKB", value:"4471331"); script_xref(name:"MSFT", value:"MS18-4471331"); script_name(english:"KB4471331: Security update for Adobe Flash Player (December 2018)"); script_summary(english:"Checks the version of the ActiveX control."); script_set_attribute(attribute:"synopsis", value: "The remote Windows host has a browser plugin installed that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote Windows host is missing security update KB4471331. It is, therefore, affected by the following vulnerabilities : - An unspecified use-after-free error exists that allows remote code execution. (CVE-2018-15982) - An unspecified insecure library loading error exists that allows privilege escalation. (CVE-2018-15983)"); script_set_attribute(attribute:"see_also", value:"https://helpx.adobe.com/security/products/flash-player/apsb18-42.html"); # https://support.microsoft.com/en-us/help/4471331/security-update-for-adobe-flash-player script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?eac06564"); script_set_attribute(attribute:"solution", value: "Microsoft has released KB4471331 to address this issue." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-15982"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/05"); script_set_attribute(attribute:"patch_publication_date", value:"2018/12/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/06"); script_set_attribute(attribute:"plugin_type",value:"local"); script_set_attribute(attribute:"cpe",value:"cpe:/a:adobe:flash_player"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_activex_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = "MS18-12"; kbs = make_list('4471331'); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE); productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1); if ("Windows 8" >< productname && "Windows 8.1" >!< productname) audit(AUDIT_OS_SP_NOT_VULN); if (activex_init() != ACX_OK) audit(AUDIT_FN_FAIL, "activex_init"); # Adobe Flash Player CLSID clsid = '{D27CDB6E-AE6D-11cf-96B8-444553540000}'; file = activex_get_filename(clsid:clsid); if (isnull(file)) { activex_end(); audit(AUDIT_FN_FAIL, "activex_get_filename", "NULL"); } if (!file) { activex_end(); audit(AUDIT_ACTIVEX_NOT_FOUND, clsid); } # Get its version. version = activex_get_fileversion(clsid:clsid); if (empty_or_null(version)) { activex_end(); audit(AUDIT_VER_FAIL, file); } info = ''; iver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(iver); i++) iver[i] = int(iver[i]); iver = join(iver, sep:"."); # all <= 31.0.0.153 fix = FALSE; if(ver_compare(ver:iver, fix:"31.0.0.153", strict:FALSE) <= 0) fix = "32.0.0.101"; if ( (report_paranoia > 1 || activex_get_killbit(clsid:clsid) == 0) && fix ) { info = '\n Path : ' + file + '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; } port = kb_smb_transport(); if (info != '') { if (report_paranoia > 1) { report = info + '\n' + 'Note, though, that Nessus did not check whether the kill bit was\n' + "set for the control's CLSID because of the Report Paranoia setting" + '\n' + 'in effect when this scan was run.\n'; } else { report = info + '\n' + 'Moreover, its kill bit is not set so it is accessible via Internet\n' + 'Explorer.\n'; } replace_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_add_report(bulletin:'MS18-12', kb:'4471331', report); security_report_v4(severity:SECURITY_HOLE, port:port, extra:hotfix_get_report()); } else audit(AUDIT_HOST_NOT, 'affected');NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-3795.NASL description An update for flash-plugin is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update upgrades Flash Player to version 32.0.0.101. Security Fix(es) : * flash-plugin: Arbitrary Code Execution vulnerability (APSB18-42) (CVE-2018-15982) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 119489 published 2018-12-07 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119489 title RHEL 6 : flash-plugin (RHSA-2018:3795) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2018:3795. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(119489); script_version("1.8"); script_cvs_date("Date: 2019/10/24 15:35:46"); script_cve_id("CVE-2018-15982"); script_xref(name:"RHSA", value:"2018:3795"); script_name(english:"RHEL 6 : flash-plugin (RHSA-2018:3795)"); script_summary(english:"Checks the rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing a security update." ); script_set_attribute( attribute:"description", value: "An update for flash-plugin is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update upgrades Flash Player to version 32.0.0.101. Security Fix(es) : * flash-plugin: Arbitrary Code Execution vulnerability (APSB18-42) (CVE-2018-15982) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section." ); script_set_attribute( attribute:"see_also", value:"https://helpx.adobe.com/security/products/flash-player/apsb18-42.html" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2018:3795" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-15982" ); script_set_attribute( attribute:"solution", value:"Update the affected flash-plugin package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:flash-plugin"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/18"); script_set_attribute(attribute:"patch_publication_date", value:"2018/12/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/07"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2018:3795"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL6", reference:"flash-plugin-32.0.0.101-1.el6_10")) flag++; if (flag) { flash_plugin_caveat = '\n' + 'NOTE: This vulnerability check only applies to RedHat released\n' + 'versions of the flash-plugin package. This check does not apply to\n' + 'Adobe released versions of the flash-plugin package, which are\n' + 'versioned similarly and cause collisions in detection.\n\n' + 'If you are certain you are running the Adobe released package of\n' + 'flash-plugin and are running a version of it equal or higher to the\n' + 'RedHat version listed above then you can consider this a false\n' + 'positive.\n'; security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() + flash_plugin_caveat ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "flash-plugin"); } }NASL family MacOS X Local Security Checks NASL id MACOSX_FLASH_PLAYER_APSB18-42.NASL description The version of Adobe Flash Player installed on the remote macOS or Mac OS X host is equal or prior to version 31.0.0.153. It is therefore affected by the following vulnerabilities : - An unspecified use-after-free error exists that allows remote code execution. (CVE-2018-15982) - An unspecified insecure library loading error exists that allows privilege escalation. (CVE-2018-15983) last seen 2020-06-01 modified 2020-06-02 plugin id 119424 published 2018-12-06 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119424 title Adobe Flash Player for Mac <= 31.0.0.153 (APSB18-42) NASL family Windows NASL id FLASH_PLAYER_APSB18-42.NASL description The version of Adobe Flash Player installed on the remote Windows host is equal or prior to version 31.0.0.153. It is therefore affected by the following vulnerabilities : - An unspecified use-after-free error exists that allows remote code execution. (CVE-2018-15982) - An unspecified insecure library loading error exists that allows privilege escalation. (CVE-2018-15983) last seen 2020-06-01 modified 2020-06-02 plugin id 119462 published 2018-12-06 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119462 title Adobe Flash Player <= 31.0.0.153 (APSB18-42) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_49CBE200F92A11E8A89DD43D7EF03AA6.NASL description Adobe reports : - This update resolves a use-after-free vulnerability that could lead to arbitrary code execution (CVE-2018-15982). - This update resolves an insecure library loading vulnerability that could lead to privilege escalation (CVE-2018-15983). last seen 2020-06-01 modified 2020-06-02 plugin id 119481 published 2018-12-07 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119481 title FreeBSD : Flash Player -- multiple vulnerabilities (49cbe200-f92a-11e8-a89d-d43d7ef03aa6)
Redhat
| advisories |
| ||||
| rpms | flash-plugin-0:32.0.0.101-1.el6_10 |
The Hacker News
id THN:F9EC40738046ED8F7313B58F3324855D last seen 2018-12-12 modified 2018-12-12 published 2018-12-12 reporter The Hacker News source https://thehackernews.com/2018/12/adobe-acrobat-update.html title Adobe's Year-End Update Patches 87 Flaws in Acrobat Software id THN:1E17CFED2DC9622E7D01A332EDE9F110 last seen 2018-12-06 modified 2018-12-06 published 2018-12-06 reporter The Hacker News source https://thehackernews.com/2018/12/flash-player-vulnerability.html title New Adobe Flash Zero-Day Exploit Found Hidden Inside MS Office Docs