A publicly exploited use after free vulnerability leading to arbitrary code execution was discovered in the Adobe Flash Player. Adobe has addressed this vulnerability in APSB18-42, by releasing the latest version – 184.108.40.206. An additional insecure library loading vulnerability, which leads with privilege escalation via DLL hijacking attacks was also remediated via this update. MITRE has assigned CVE-2018-15982 & CVE-2018-15983 respectively for both these vulnerabilities. Correspondingly, Microsoft has also released ADV180031 to address the two vulnerabilities.
Exploited in the Wild:
CVE-2018-15982 has already been weaponized and found in APT campaigns, targeting certain Russian individuals. It is being exploited via crafted Flash objects that are embedded in a Microsoft Office document and delivered via a spear-phishing email attack. The document is disguised as a questionnaire from a Moscow based clinic and may use social engineering attacks to entice an user into executing the embedded crafter Adobe Flash content. If successful, an implanted binary within a .rar file is extracted and executed. This extracted binary is a backdoor masquerading NVIDIA Control Panel application that utilizes a stolen, revoked digital certificate.
We request organizations to apply the latest patches provided by Adobe and Microsoft. Additionally, organizations can scan their environment with the following Qualys QIDs to detect the vulnerabilities described as CVE-2018-15982 & CVE-2018-15983:
|Red Hat Update for flash-plugin (RHSA-2018:3795)
|Microsoft Windows Adobe Flash Player Security Update for December 2018 (ADV180031)
|Adobe Security Update for Flash Player (APSB18-42)