Vulnerabilities > CVE-2019-8069 - Origin Validation Error vulnerability in Adobe Flash Player and Flash Player Desktop Runtime

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
adobe
CWE-346
critical
nessus

Summary

Adobe Flash Player 32.0.0.238 and earlier versions, 32.0.0.207 and earlier versions have a Same Origin Method Execution vulnerability. Successful exploitation could lead to Arbitrary Code Execution in the context of the current user.

Vulnerable Configurations

Part Description Count
Application
Adobe
159
OS
Apple
1
OS
Linux
1
OS
Microsoft
3
OS
Google
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • JSON Hijacking (aka JavaScript Hijacking)
    An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website. An attacker gets the victim to visit his or her malicious page that contains a script tag whose source points to the vulnerable system with a URL that requests a response from the server containing a JSON object with possibly confidential information. The malicious page also contains malicious code to capture the JSON object returned by the server before any other processing on it can take place, typically by overriding the JavaScript function used to create new objects. This hook allows the malicious code to get access to the creation of each object and transmit the possibly sensitive contents of the captured JSON object to the attackers' server. There is nothing in the browser's security model to prevent the attackers' malicious JavaScript code (originating from attacker's domain) to set up an environment (as described above) to intercept a JSON object response (coming from the vulnerable target system's domain), read its contents and transmit to the attackers' controlled site. The same origin policy protects the domain object model (DOM), but not the JSON.
  • Cache Poisoning
    An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.
  • DNS Cache Poisoning
    A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An attacker modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the attacker specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Attackers can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.
  • Exploitation of Session Variables, Resource IDs and other Trusted Credentials
    Attacks on session IDs and resource IDs take advantage of the fact that some software accepts user input without verifying its authenticity. For example, a message queuing system that allows service requesters to post messages to its queue through an open channel (such as anonymous FTP), authorization is done through checking group or role membership contained in the posted message. However, there is no proof that the message itself, the information in the message (such group or role membership), or indeed the process that wrote the message to the queue are authentic and authorized to do so. Many server side processes are vulnerable to these attacks because the server to server communications have not been analyzed from a security perspective or the processes "trust" other systems because they are behind a firewall. In a similar way servers that use easy to guess or spoofable schemes for representing digital identity can also be vulnerable. Such systems frequently use schemes without cryptography and digital signatures (or with broken cryptography). Session IDs may be guessed due to insufficient randomness, poor protection (passed in the clear), lack of integrity (unsigned), or improperly correlation with access control policy enforcement points. Exposed configuration and properties files that contain system passwords, database connection strings, and such may also give an attacker an edge to identify these identifiers. The net result is that spoofing and impersonation is possible leading to an attacker's ability to break authentication, authorization, and audit controls on the system.
  • Application API Message Manipulation via Man-in-the-Middle
    An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack can allow the attacker to gain unauthorized privileges within the application, or conduct attacks such as phishing, deceptive strategies to spread malware, or traditional web-application attacks. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system. Despite the use of MITM software, the attack is actually directed at the server, as the client is one node in a series of content brokers that pass information along to the application framework. Additionally, it is not true "Man-in-the-Middle" attack at the network layer, but an application-layer attack the root cause of which is the master applications trust in the integrity of code supplied by the client.

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2756.NASL
    descriptionAn update for flash-plugin is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update upgrades Flash Player to version 32.0.0.255. Security Fix(es) : * flash-plugin: Arbitrary Code Execution vulnerabilities (APSB19-46) (CVE-2019-8069, CVE-2019-8070) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id128860
    published2019-09-16
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128860
    titleRHEL 6 : flash-plugin (RHSA-2019:2756)
  • NASL familyWindows
    NASL idFLASH_PLAYER_APSB19-46.NASL
    descriptionThe version of Adobe Flash Player installed on the remote Windows host is equal or prior to version 32.0.0.238. It is therefore affected by multiple arbitrary code execution vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id128633
    published2019-09-10
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128633
    titleAdobe Flash Player <= 32.0.0.238 (APSB19-46)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201911-05.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201911-05 (Adobe Flash Player: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Adobe Flash Player. Please review the CVE identifiers referenced below for details. Impact : Please review the referenced CVE identifiers for details. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id131265
    published2019-11-25
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131265
    titleGLSA-201911-05 : Adobe Flash Player: Multiple vulnerabilities
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_FLASH_PLAYER_APSB19-46.NASL
    descriptionThe version of Adobe Flash Player installed on the remote macOS or Mac OS X host is equal or prior to version 32.0.0.238. It is therefore affected by multiple arbitrary code execution vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id128632
    published2019-09-10
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128632
    titleAdobe Flash Player for Mac <= 32.0.0.238 (APSB19-46)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_C6F19FE6D42A11E9B4F96451062F0F7A.NASL
    descriptionAdobe reports : - This update resolves a same origin method execution vulnerability that could lead to arbitrary code execution (CVE-2019-8069). - This update resolves a use-after-free vulnerability that could lead to arbitrary code execution (CVE-2019-8070).
    last seen2020-06-01
    modified2020-06-02
    plugin id128654
    published2019-09-11
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128654
    titleFreeBSD : Flash Player -- multiple vulnerabilities (c6f19fe6-d42a-11e9-b4f9-6451062f0f7a)
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_SEP_FLASH.NASL
    descriptionThe remote Windows host is missing security update KB4516115. It is, therefore, affected by multiple arbitrary code execution vulnerabilities in Adobe Flash Player.
    last seen2020-06-01
    modified2020-06-02
    plugin id128646
    published2019-09-10
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128646
    titleKB4516115: Security update for Adobe Flash Player (September 2019)

Redhat

rpmsflash-plugin-0:32.0.0.255-1.el6_10

The Hacker News

idTHN:720C8F7F5211ABA35D5955E6805FFB78
last seen2019-09-10
modified2019-09-10
published2019-09-10
reporterThe Hacker News
sourcehttps://thehackernews.com/2019/09/adobe-security-updates.html
titleAdobe Releases Security Patches For Critical Flash Player Vulnerabilities