Adobe Flash Vulnerability Can Lead to Code Execution and Asset Takeover (CVE-2018-15982)
Adobe has issued an out-of-band advisory for CVE-2018-15982. Through the use of a maliciously crafted RAR file, an attacker exploiting this vulnerability can take over the machine of users that run it.
Background
Adobe has released an out-of-band security bulletin. that includes patches for CVE-2018-15982, a critical arbitrary code execution vulnerability in Adobe Flash which has been used to allegedly attack Polyclinic No. 2, which is affiliated with the Presidential Administration of Russia. Users are encouraged to update all applications that incorporate Flash.
Analysis
The attack requires a user to open and run a malicious file that takes advantage of a dangling pointer, allowing the attacker to insert their code into the target’s memory, which Flash then executes. As with most code execution vulnerabilities, this vulnerability establishes a backdoor or similar foothold on the target.
In spear phishing campaigns, attacks are often designed to appear as legitimate emails, documents or tools, such as a Chrome extension that the organization often uses. In this case, attackers created a fake employee survey document that users understandably believed they needed to complete.
Source: 360 Core Security
Proof of concept
360 Core Security, one of the groups credited by Adobe with discovering this vulnerability, has an excellent technical write-up on how this attack works, and specifically how it was allegedly used against the Polyclinic site.
Once the payload is delivered, it disguises itself as an Nvidia driver application to further obfuscate infection.
Source: 360 Core Security
Solution
Adobe’s advisory provides the following information on updating Flash:
- Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows, macOS and Linux update to Adobe Flash Player 32.0.0.101 via the update mechanism within the product* or by visiting the Adobe Flash Player Download Center.
- Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 32.0.0.101 for Windows, macOS, Linux and Chrome OS.
- Adobe Flash Player installed with Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1 will be automatically updated to the latest version, which will include Adobe Flash Player 32.0.0.101.
*Note: Users who have selected the option to 'Allow Adobe to install updates' will receive the update automatically. Users who do not have the 'Allow Adobe to install updates' option enabled can install the update via the update mechanism within the product when prompted.
Identifying affected systems
A list of Nessus plugins to identify this vulnerability will appear here as they’re released.
Get more information
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.
Related Articles
Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
November 19, 2024Volt Typhoon, a state-sponsored actor linked to the People’s Republic of China, has consistently targeted U.S. critical infrastructure with the intent to maintain persistent access. Tenable Research examines the tactics, techniques and procedures of this threat actor.
CVE-2024-0012, CVE-2024-9474: Zero-Day Vulnerabilities in Palo Alto PAN-OS Exploited In The Wild
November 18, 2024Palo Alto Networks confirmed two zero-day vulnerabilities were exploited as part of attacks in the wild against PAN-OS devices, with one being attributed to Operation Lunar Peek.
Microsoft’s November 2024 Patch Tuesday Addresses 87 CVEs (CVE-2024-43451, CVE-2024-49039)
November 12, 2024Microsoft addresses 87 CVEs and one advisory (ADV240001) in its November 2024 Patch Tuesday release, with four critical vulnerabilities and four zero-day vulnerabilities, including two that were exploited in the wild.
Active Directory Under Attack: Five Eyes Guidance Targets Crucial Security Gaps
November 21, 2024A landmark global report from cybersecurity agencies emphasizes 17 attack techniques against Microsoft Active Directory and cautions organizations to step up protections. In the first of our two-part series, we offer five steps you can take today to shore up your AD defenses.
Five Cyber Agencies Sound Alarm About Active Directory Attacks: Beyond the Basics
November 21, 2024A landmark global report emphasizes 17 attack techniques against Microsoft Active Directory and cautions organizations to step up protections. In the second of our two-part series, we take you beyond the basics to highlight three key areas to focus on.
Volt Typhoon: What State and Local Government Officials Need to Know
November 19, 2024Increased activity from the state-sponsored threat group Volt Typhoon raises concerns about the cybersecurity of U.S. critical infrastructure. Here’s how you can identify potential exposures and attack paths.
- Vulnerability Management