DATABASE RESOURCES PRICING ABOUT US

{"id": "OPENVAS:1361412562310813602", "type": "openvas", "bulletinFamily": "scanner", "title": "Microsoft IE And Microsoft Edge Flash Player Multiple Vulnerabilities (apsb18-19)", "description": "This host is installed with Adobe Flash Player\n within Microsoft Edge or Internet Explorer and is prone to multiple vulnerabilities.", "published": "2018-06-08T00:00:00", "modified": "2020-05-13T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813602", "reporter": "Copyright (C) 2018 Greenbone Networks GmbH", "references": ["https://helpx.adobe.com/security/products/flash-player/apsb18-19.html"], "cvelist": ["CVE-2018-5001", "CVE-2018-5002", "CVE-2018-5000", "CVE-2018-4945"], "lastseen": "2020-05-15T17:01:22", "viewCount": 20, "enchantments": {"dependencies": {"references": [{"type": "adobe", "idList": ["APSB18-19"]}, {"type": "archlinux", "idList": ["ASA-201806-7"]}, {"type": "attackerkb", "idList": ["AKB:562EA3B5-6C06-49C6-AE75-917762A9F3B9"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-0535", "CPAI-2018-0537", "CPAI-2018-0538", "CPAI-2018-0539"]}, {"type": "cve", "idList": ["CVE-2018-4945", "CVE-2018-5000", "CVE-2018-5001", "CVE-2018-5002"]}, {"type": "freebsd", "idList": ["2DDE5A56-6AB1-11E8-B639-6451062F0F7A"]}, {"type": "gentoo", "idList": ["GLSA-201806-02"]}, {"type": "kaspersky", "idList": ["KLA11261"]}, {"type": "krebs", "idList": ["KREBS:377DC4DFDAF49AA3F03846964CC1864A"]}, {"type": "mageia", "idList": ["MGASA-2018-0286"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:29082210E17AE80B08D8FF58AED79F23"]}, {"type": "mscve", "idList": ["MS:ADV180014"]}, {"type": "myhack58", "idList": ["MYHACK58:62201890436", "MYHACK58:62201890504", "MYHACK58:62201994516"]}, {"type": "nessus", "idList": ["700434.PRM", "FLASH_PLAYER_APSB18-19.NASL", "FREEBSD_PKG_2DDE5A566AB111E8B6396451062F0F7A.NASL", "GENTOO_GLSA-201806-02.NASL", "MACOSX_FLASH_PLAYER_APSB18-19.NASL", "REDHAT-RHSA-2018-1827.NASL", "SMB_NT_MS18_JUN_4287903.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310813396", "OPENVAS:1361412562310813397", "OPENVAS:1361412562310813398", "OPENVAS:1361412562310813399", "OPENVAS:1361412562310813400", "OPENVAS:1361412562310813601"]}, {"type": "redhat", "idList": ["RHSA-2018:1827"]}, {"type": "redhatcve", "idList": ["RH:CVE-2018-4945", "RH:CVE-2018-5000", "RH:CVE-2018-5001", "RH:CVE-2018-5002"]}, {"type": "securelist", "idList": ["SECURELIST:A2A995C1C898D3DA4DB008FBA6AA149E"]}, {"type": "thn", "idList": ["THN:A63890B8ADE3B23F098107F5CC398A2F"]}, {"type": "threatpost", "idList": ["THREATPOST:3127C5639EF00B80A0DE1B63E8892A5E", "THREATPOST:34985C64EA7AF207D4CE9A800671E3C1", "THREATPOST:DBD7145D5FE0AE34B1D653D25DF60AE8"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:2E1DD618823C4F9E766FE77AB4EB8913"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2018-4945", "UB:CVE-2018-5000", "UB:CVE-2018-5001", "UB:CVE-2018-5002"]}, {"type": "zdi", "idList": ["ZDI-18-568", "ZDI-18-569", "ZDI-18-570"]}]}, "score": {"value": 0.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "adobe", "idList": ["APSB18-19"]}, {"type": "archlinux", "idList": ["ASA-201806-7"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-0535", "CPAI-2018-0537", "CPAI-2018-0538", "CPAI-2018-0539"]}, {"type": "cve", "idList": ["CVE-2018-4945", "CVE-2018-5000", "CVE-2018-5001", "CVE-2018-5002"]}, {"type": "freebsd", "idList": ["2DDE5A56-6AB1-11E8-B639-6451062F0F7A"]}, {"type": "gentoo", "idList": ["GLSA-201806-02"]}, {"type": "kaspersky", "idList": ["KLA11261"]}, {"type": "krebs", "idList": ["KREBS:377DC4DFDAF49AA3F03846964CC1864A"]}, {"type": "mscve", "idList": ["MS:ADV180014"]}, {"type": "myhack58", "idList": ["MYHACK58:62201890436", "MYHACK58:62201890504"]}, {"type": "nessus", "idList": ["FLASH_PLAYER_APSB18-19.NASL", "FREEBSD_PKG_2DDE5A566AB111E8B6396451062F0F7A.NASL", "GENTOO_GLSA-201806-02.NASL", "REDHAT-RHSA-2018-1827.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310813396", "OPENVAS:1361412562310813397", "OPENVAS:1361412562310813398", "OPENVAS:1361412562310813399", "OPENVAS:1361412562310813400", "OPENVAS:1361412562310813601"]}, {"type": "redhatcve", "idList": ["RH:CVE-2018-4945", "RH:CVE-2018-5000", "RH:CVE-2018-5001", "RH:CVE-2018-5002"]}, {"type": "securelist", "idList": ["SECURELIST:A2A995C1C898D3DA4DB008FBA6AA149E"]}, {"type": "thn", "idList": ["THN:A63890B8ADE3B23F098107F5CC398A2F"]}, {"type": "threatpost", "idList": ["THREATPOST:34985C64EA7AF207D4CE9A800671E3C1", "THREATPOST:DBD7145D5FE0AE34B1D653D25DF60AE8"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:2E1DD618823C4F9E766FE77AB4EB8913"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2018-4945", "UB:CVE-2018-5000", "UB:CVE-2018-5001", "UB:CVE-2018-5002"]}, {"type": "zdi", "idList": ["ZDI-18-568", "ZDI-18-569", "ZDI-18-570"]}]}, "exploitation": null, "vulnersScore": 0.4}, "pluginID": "1361412562310813602", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft IE And Microsoft Edge Flash Player Multiple Vulnerabilities (apsb18-19)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813602\");\n script_version(\"2020-05-13T14:08:32+0000\");\n script_cve_id(\"CVE-2018-5002\", \"CVE-2018-4945\", \"CVE-2018-5000\", \"CVE-2018-5001\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-05-13 14:08:32 +0000 (Wed, 13 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-06-08 12:38:35 +0530 (Fri, 08 Jun 2018)\");\n script_name(\"Microsoft IE And Microsoft Edge Flash Player Multiple Vulnerabilities (apsb18-19)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_flash_player_within_ie_edge_detect.nasl\");\n script_mandatory_keys(\"AdobeFlash/IE_or_EDGE/Installed\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb18-19.html\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash Player\n within Microsoft Edge or Internet Explorer and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws exists due to,\n\n - A type confusion error.\n\n - An integer overflow error.\n\n - An out-of-bounds read error.\n\n - A stack-based buffer overflow error.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to conduct arbitrary code execution and disclosure of sensitive\n information.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player within Microsoft Edge or\n Internet Explorer on,\n\n Windows 10 Version 1803 for x32/x64 Edition,\n\n Windows 10 Version 1607 for x32/x64 Edition,\n\n Windows 10 Version 1703 for x32/x64 Edition,\n\n Windows 10 Version 1709 for x32/x64 Edition,\n\n Windows 10 x32/x64 Edition,\n\n Windows 8.1 for x32/x64 Edition and\n\n Windows Server 2012/2012 R2/2016\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more\n information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012:1, win2012R2:1, win10:1,\n win10x64:1, win2016:1) <= 0)\n exit(0);\n\ncpe_list = make_list(\"cpe:/a:adobe:flash_player_internet_explorer\", \"cpe:/a:adobe:flash_player_edge\");\n\nif(!infos = get_app_version_and_location_from_list(cpe_list:cpe_list, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\nif(path) {\n path = path + \"\\Flashplayerapp.exe\";\n} else {\n path = \"Could not find the install location\";\n}\n\nif(version_is_less(version:vers, test_version:\"30.0.0.113\")) {\n report = report_fixed_ver(file_checked:path, file_version:vers, vulnerable_range:\"Less than 30.0.0.113\");\n security_message(port:0, data:report);\n exit(0);\n}\n\nexit(99);\n", "naslFamily": "Windows : Microsoft Bulletins", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1659998956, "score": 1659979568}, "_internal": {"score_hash": "b3a1396c683888c12ae418ea74001ceb"}}

{"threatpost": [{"lastseen": "2019-05-30T05:54:43", "description": "Adobe has patched two critical and two important vulnerabilities in its Flash Player on Thursday, including one that is being exploited in the wild in targeted attacks against Windows users.\n\nThe critical vulnerability with an existing exploit ([CVE-2018-5002](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5002>)) is a stack-based buffer overflow bug that could enable arbitrary code execution, according to Adobe. The attacks are leveraging Office documents, according to Adobe.\n\n\u201cAdobe is aware of a report that an exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users,\u201d the company said in a [release](<https://helpx.adobe.com/security/products/flash-player/apsb18-19.html>), Thursday. \u201cThese attacks leverage Office documents with embedded malicious Flash Player content distributed via email.\u201d\n\nMicrosoft did not respond to a request for comment from Threatpost by publication.\n\nAllan Liska, threat intelligence analyst at Recorded Future, told Threatpost the vuln is being currently exploited as part of several phishing campaigns.\n\n\u201cThe exploit takes advantage of a Flash file embedded in a Microsoft Office document, when the victim opens the Office Document the trojaned Flash code automatically runs and executes shell code which calls out to the attackers command and control servers,\u201d Liska told Threatpost.\n\nImpacted versions include Adobe Flash Player Desktop Runtime (29.0.0.171 and earlier versions) on Windows, MacOS and Linux; Adobe Flash Player for Google Chrome (29.0.0.171 and earlier versions) for Windows, macOS, Linux and Chrome OSl and Adobe Flash Player for Microsoft Edge and Internet Explorer 11 (29.0.0.171 and earlier versions) for Windows 10 and 8.1.\n\nThe updates for all platforms had a priority rating of two out of three, meaning there are no exploits; but the Adobe Flash Player Desktop Runtime platform for Linux was rated priority three out of three.\n\nAccording to Adobe\u2019s priority rating description, this priority rating means \u201cupdate resolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.\u201d\n\nAccording to Adobe, CVE-2018-5002 was discovered by researchers from an array of organizations, including individuals from ICEBRG; 360 Threat Intelligence Center of 360 Enterprise Security Group; and Qihoo 360 Core Security.\n\nThe company issued a patch for another critical vulnerability ([CVE-2018-4945](<https://nvd.nist.gov/vuln/detail/CVE-2018-4945>)) that enables arbitrary code execution. The bug was discovered by Jihui Lu of Tencent KeenLab and willJ of Tencent PC Manager, working with Trend Micro\u2019s Zero Day Initiative.\n\nAdobe also issued patches for two \u201cimportant\u201d vulnerabilities that could both lead to information disclosure, including one (CVE-2018-5000) Integer Overflow bug and an Out-of-bounds read glitch (CVE-2018-5001).\n\nAdobe recommended that all impacted versions update immediately to versions 30.0.0.113 via their update mechanism within the product or by visiting the Adobe Flash Player Download Center.\n\nMeanwhile, Adobe Flash Player with Google Chrome, Microsoft Edge, and IE 11 for Windows 10 and 8.1 \u201cwill be automatically downloaded to the latest version,\u201d the company said.\n\nAdobe has doled out its fair share of patches over the past few months \u2013 just [weeks](<https://threatpost.com/adobe-doles-out-second-round-of-higher-priority-patches/131967/>) ago the company posted patches for a slew of critical vulnerabilities, which have a higher risk of being exploited. Earlier in [May](<https://threatpost.com/adobe-patches-critical-bugs-in-flash-player-creative-cloud/131794/>), Adobe released patches for five critical and important vulnerabilities spanning Creative Cloud, Adobe Flash Player and web conferencing software tool Adobe Connect.\n", "cvss3": {}, "published": "2018-06-07T13:14:25", "type": "threatpost", "title": "Adobe Patches Critical Flash Player Bug With Active Exploit", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-4945", "CVE-2018-5000", "CVE-2018-5001", "CVE-2018-5002"], "modified": "2018-06-07T13:14:25", "id": "THREATPOST:34985C64EA7AF207D4CE9A800671E3C1", "href": "https://threatpost.com/adobe-patches-critical-flash-player-bug-with-active-exploit/132595/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T05:52:38", "description": "A zero-day vulnerability is being exploited in the wild in targeted attacks against Windows users in the Middle East, researchers warned Thursday.\n\nThe Flash Player vulnerability (CVE-2018-5002), a stack-based buffer overflow bug that could enable arbitrary code execution, was patched earlier today by [Adobe](<https://threatpost.com/adobe-patches-critical-flash-player-bug-with-active-exploit/132595/>).\n\nThe vulnerability \u201callows for a maliciously crafted Flash object to execute code on victim computers, which enables an attacker to execute a range of payloads and actions,\u201d researchers from ICEBRG\u2019s Security Research Team, who was the first to report the discovered vuln, said in a Thursday [post](<https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack?utm_source=twitter&utm_medium=social&utm_term=&utm_content=&utm_campaign=blogpost-adobe0day>). It\u2019s particularly dangerous because all that needs to happen for the bug to be triggered is for the victim to open a malicious file.\n\nAccording to Adobe, CVE-2018-5002 was discovered by researchers from an array of organizations, including individuals from ICEBRG; 360 Threat Intelligence Center of 360 Enterprise Security Group; and Qihoo 360 Core Security. [ICEBRG ](<https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack?utm_source=twitter&utm_medium=social&utm_term=&utm_content=&utm_campaign=blogpost-adobe0day>)and [Qihoo 360 ](<http://blogs.360.cn/blog/cve-2018-5002-en/>)both came out with posts analyzing the new bug.\n\nThe exploit uses a carefully constructed Microsoft Office document to download and execute an Adobe Flash exploit to the victims\u2019 computers, according to ICEBRG researchers. The documents were sent primarily via email, according to Adobe.\n\nFirst, the user would open a weaponized Shockwave Flash file. From there, the file downloads and executes the exploit to achieve code execution on the system.\n\nThe file then executes shellcode, which calls out to the attackers command and control servers and enables the threat actor to further control the victim machine.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/06/07155857/flash-exploit.png>)\u201cTypically, the final payload consists of shell code that provides backdoor functionality to the system or stages additional tools,\u201d ICEBRG researchers said.\n\nBoth ICEBRG and Qihoo 360 found evidence that suggested the exploit was targeting Qatari victims, based on geopolitical interests.\n\n\u201cThe weaponized document \u2026 is an Arabic language themed document that purports to inform the target of employee salary adjustments,\u201d ICEBRG researchers said. \u201cMost of the job titles included in the document are diplomatic in nature, specifically referring to salaries with positions referencing secretaries, ambassadors, diplomats, etc.\u201d\n\nMeanwhile, Qihoo researchers also said that \u201call clues show this is a typical APT attack.\u201d\n\n\u201cThe attacker developed sophisticated plans in the cloud and spent at least three months preparing for the attack,\u201d Qihoo researchers said. \u201cThe detailed phishing attack content was also tailored to the attack target.\u201d\n\nAdobe dealt with another zero-day Flash vulnerability back in February, which was [exploited ](<https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/north-korean-hackers-allegedly-exploit-adobe-flash-player-vulnerability-cve-2018-4878-against-south-korean-targets>)by North Korean hackers.\n\nThe company on Thursday also patched another critical vulnerability ([CVE-2018-4945](<https://nvd.nist.gov/vuln/detail/CVE-2018-4945>)) that enables arbitrary code execution; and two \u201cimportant\u201d vulnerabilities that could both lead to information disclosure, including one (CVE-2018-5000) Integer Overflow bug and an Out-of-bounds read glitch (CVE-2018-5001).\n\nMicrosoft did not respond to a request for multiple request for comment from Threatpost. The company posted a[ security update](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180014>) regarding the vulnerability on Thursday.\n\n\u201cIn order to protect themselves users should immediately upgrade their Adobe Flash and disable macros in Microsoft Office,\u201d Allan Liska, threat intelligence analyst at Recorded Future, told Threatpost.\n", "cvss3": {}, "published": "2018-06-07T20:05:52", "type": "threatpost", "title": "Zero-Day Flash Exploit Targeting Middle East", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-4878", "CVE-2018-4945", "CVE-2018-5000", "CVE-2018-5001", "CVE-2018-5002"], "modified": "2018-06-07T20:05:52", "id": "THREATPOST:DBD7145D5FE0AE34B1D653D25DF60AE8", "href": "https://threatpost.com/zero-day-flash-exploit-targeting-middle-east/132659/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-02-15T11:44:46", "description": "A newly-patched Microsoft Win32k vulnerability is being exploited in the wild by at least two threat actors, including a recently discovered advanced persistent threat (APT) group dubbed SandCat.\n\nThe exploited vulnerability (CVE-2019-0797), rated important, was [patched on Tuesday](<https://threatpost.com/microsoft-patches-two-win32k-bugs-under-active-attack/142742/>) as part of Microsoft\u2019s regularly scheduled March security update. But Kaspersky Lab researchers said that the vulnerability is already being used by two APTs, SandCat and [FruityArmor](<https://threatpost.com/fruityarmor-apt-exploits-yet-another-windows-graphics-kernel-flaw/138192/>), to run arbitrary code on target systems.\n\nSandCat is an APT that was discovered only recently, researchers Vasiliy Berdnikov and Boris Larin said in a Wednesday [deep dive analysis](<https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/>) of the vulnerability and its exploits.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cSandCat is a relatively new APT group; we first observed them in 2018, although it would appear they have been around for some time,\u201d Costin Raiu, director of global research and analysis team at Kaspersky Lab, told Threatpost. \u201cThey use both [FinFisher/FinSpy](<https://threatpost.com/office-zero-day-delivering-finspy-spyware-to-victims-in-russia/124939/>) [spyware] and the [CHAINSHOT](<https://unit42.paloaltonetworks.com/unit42-slicing-dicing-cve-2018-5002-payloads-new-chainshot-malware/>) framework in attacks, coupled with various zero-days. Targets of SandCat have been mostly observed in Middle East, including but not limited to Saudi Arabia.\u201d\n\nMeanwhile, the FruityArmor APT group is an under-the-radar cyber-espionage gang also active in the Middle East, which has been around for some time, Raiu said. FruityArmor has been known to exploit other zero days, including one (CVE-2018-8453) [back in October 2018](<https://threatpost.com/fruityarmor-apt-exploits-yet-another-windows-graphics-kernel-flaw/138192/>).\n\n\u201cThe earliest publication from our side on them is from 2016, [when we identified another zero day](<https://threatpost.com/fruityarmor-apt-group-used-recently-patched-windows-zero-day/121398/>) (CVE-2016-3393) being used by this group,\u201d Raiu told Threatpost. \u201cVictims of FruityArmor are generally located in Middle East, but they are known to target journalists and activists in other regions as well.\u201d\n\nThe new exploit found in the wild is targeting 64-bit operating systems in the range from Windows 8 to Windows 10 build 15063.\n\n\u201cAs we can see from the zero-day used in the wild, exploitation of this vulnerability is not difficult and is reliable for 64-bit operating systems in the range from Windows 8 to Windows 10 build 15063,\u201d Kaspersky Lab\u2019s Larin told Threatpost.\n\nBoth Mideast-focused APTs are selectively choosing their targets, researchers said.\n\n\u201cWe observed very few attempts to exploit this vulnerability, in targeted attacks,\u201d Raiu told Threatpost. \u201cThis is generally the case with high-profile zero-days, which are used only for high-value targets in what can be considered surgical campaigns.\u201d\n\n## The Vulnerability\n\nCVE-2019-0797 is an elevation of privilege vulnerability, which exists in Windows when the Win32k component fails to properly handle objects in memory. Win32k is the Windows kernel driver.\n\nSpecifically, the flaw is a race condition that is present in the win32k driver due to a lack of proper synchronization between undocumented system calls (NtDCompositionDiscardFrame and NtDCompositionDestroyConnection), researchers said. A race condition occurs when system attempts to perform two or more operations at the same time.\n\nTo exploit this, an attacker could first execute the system calls NtDCompositionDiscardFrame and NtDCompositionDestroyConnection simultaneously.\n\nWhen this happens, the system call NtDCompositionDiscardFrame will look for a frame to release. During that time, the attacker would execute the function DiscardAllCompositionFrames; This condition leads to a use-after-free scenario, which is a type of memory-corruption flaw that can be leveraged by hackers to execute arbitrary code.\n\nThat means an attacker who successfully exploits this vulnerability could run arbitrary code in kernel mode \u2013 and could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\n\u201cAn attacker could\u2026run a specially crafted application that could exploit the vulnerability and take control of an affected system,\u201d according to Microsoft\u2019s [advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0797>).\n\nImportantly, to exploit the vulnerability, an attacker would first have to log on to the system.\n\nResearchers reported the flaw to Microsoft on Feb. 22. Microsoft\u2019s subsequent update, released on Patch Tuesday, addresses the vulnerability by correcting how Win32k handles objects in memory.\n\n**_Don\u2019t miss our free live _****_[Threatpost webinar](<https://attendee.gotowebinar.com/register/6499105876772027139?source=ART>)_****_, \u201cExploring the Top 15 Most Common Vulnerabilities with HackerOne and GitHub,\u201d on Wed., Mar 20, at 2:00 p.m. ET._**\n\n**_Vulnerability experts Michiel Prins, co-founder of webinar sponsor HackerOne, and Greg Ose, GitHub\u2019s application security engineering manager, will join Threatpost editor Tom Spring to discuss what vulnerability types are most common in today\u2019s software, and what kind of impact they would have on organizations if exploited._**\n", "cvss3": {}, "published": "2019-03-13T15:15:11", "type": "threatpost", "title": "Threat Groups SandCat, FruityArmor Exploiting Microsoft Win32k Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-3393", "CVE-2018-5002", "CVE-2018-8453", "CVE-2019-0797"], "modified": "2019-03-13T15:15:11", "id": "THREATPOST:3127C5639EF00B80A0DE1B63E8892A5E", "href": "https://threatpost.com/sandcat-fruityarmor-exploiting-microsoft-win32k/142751/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "adobe": [{"lastseen": "2022-10-21T17:05:56", "description": "Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address [critical]() vulnerabilities in Adobe Flash Player 29.0.0.171 and earlier versions. Successful exploitation could lead to arbitrary code execution in the context of the current user. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-07T00:00:00", "type": "adobe", "title": "APSB18-19 Security updates available for Adobe Flash Player", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4945", "CVE-2018-5000", "CVE-2018-5001", "CVE-2018-5002"], "modified": "2018-06-07T00:00:00", "id": "APSB18-19", "href": "https://helpx.adobe.com/security/products/flash-player/apsb18-19.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-01-11T14:47:05", "description": "The version of Adobe Flash Player installed on the remote Windows host is equal or prior to version 29.0.0.171. It is therefore affected by multiple vulnerabilities.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-07T00:00:00", "type": "nessus", "title": "Adobe Flash Player <= 29.0.0.171 (APSB18-19)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4945", "CVE-2018-5000", "CVE-2018-5001", "CVE-2018-5002"], "modified": "2022-05-25T00:00:00", "cpe": ["cpe:/a:adobe:flash_player"], "id": "FLASH_PLAYER_APSB18-19.NASL", "href": "https://www.tenable.com/plugins/nessus/110397", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(110397);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/25\");\n\n script_cve_id(\n \"CVE-2018-4945\",\n \"CVE-2018-5000\",\n \"CVE-2018-5001\",\n \"CVE-2018-5002\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n\n script_name(english:\"Adobe Flash Player <= 29.0.0.171 (APSB18-19)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has a browser plugin installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Flash Player installed on the remote Windows\nhost is equal or prior to version 29.0.0.171. It is therefore \naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb18-19.html\");\n # http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0cb17c10\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Flash Player version 30.0.0.113 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-5002\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:flash_player\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"flash_player_installed.nasl\");\n script_require_keys(\"SMB/Flash_Player/installed\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/Flash_Player/installed\");\n\n# Identify vulnerable versions.\ninfo = \"\";\nvariants = make_list(\n \"Plugin\",\n \"ActiveX\",\n \"Chrome\",\n \"Chrome_Pepper\"\n);\n\n# we're checking for versions less than *or equal to* the cutoff!\nforeach variant (variants)\n{\n vers = get_kb_list(\"SMB/Flash_Player/\"+variant+\"/Version/*\");\n files = get_kb_list(\"SMB/Flash_Player/\"+variant+\"/File/*\");\n\n if (isnull(vers) || isnull(files))\n continue;\n\n foreach key (keys(vers))\n {\n ver = vers[key];\n if (isnull(ver))\n continue;\n\n # <= 29.0.0.171\n if (ver_compare(ver:ver,fix:\"29.0.0.171\",strict:FALSE) <= 0)\n {\n num = key - (\"SMB/Flash_Player/\"+variant+\"/Version/\");\n file = files[\"SMB/Flash_Player/\"+variant+\"/File/\"+num];\n if (variant == \"Plugin\")\n {\n info += '\\n Product : Browser Plugin (for Firefox / Netscape / Opera)';\n fix = \"30.0.0.113\";\n }\n else if (variant == \"ActiveX\")\n {\n info += '\\n Product : ActiveX control (for Internet Explorer)';\n fix = \"30.0.0.113\";\n }\n else if (\"Chrome\" >< variant)\n {\n info += '\\n Product : Browser Plugin (for Google Chrome)';\n if (variant == \"Chrome\")\n fix = \"Upgrade to a version of Google Chrome running Flash Player 30.0.0.113\";\n }\n info += '\\n Path : ' + file +\n '\\n Installed version : ' + ver;\n if (variant == \"Chrome_Pepper\")\n info += '\\n Fixed version : 30.0.0.113 (Chrome PepperFlash)';\n else if (!isnull(fix))\n info += '\\n Fixed version : '+fix;\n info += '\\n';\n }\n }\n}\n\nif (info)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n security_report_v4(severity:SECURITY_HOLE, port:port, extra:info);\n}\nelse\n{\n if (thorough_tests)\n exit(0, 'No vulnerable versions of Adobe Flash Player were found.');\n else\n exit(1, 'Google Chrome\\'s built-in Flash Player may not have been detected because the \\'Perform thorough tests\\' setting was not enabled.');\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:47:07", "description": "Adobe reports :\n\n- This update resolves a type confusion vulnerability that could lead to arbitrary code execution (CVE-2018-4945).\n\n- This update resolves an integer overflow vulnerability that could lead to information disclosure (CVE-2018-5000).\n\n- This update resolves an out-of-bounds read vulnerability that could lead to information disclosure (CVE-2018-5001).\n\n- This update resolves a stack-based buffer overflow vulnerability that could lead to arbitrary code execution (CVE-2018-5002).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-08T00:00:00", "type": "nessus", "title": "FreeBSD : Flash Player -- multiple vulnerabilities (2dde5a56-6ab1-11e8-b639-6451062f0f7a)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4945", "CVE-2018-5000", "CVE-2018-5001", "CVE-2018-5002"], "modified": "2022-05-27T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:linux-flashplayer", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_2DDE5A566AB111E8B6396451062F0F7A.NASL", "href": "https://www.tenable.com/plugins/nessus/110403", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2022 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110403);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/27\");\n\n script_cve_id(\"CVE-2018-4945\", \"CVE-2018-5000\", \"CVE-2018-5001\", \"CVE-2018-5002\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n\n script_name(english:\"FreeBSD : Flash Player -- multiple vulnerabilities (2dde5a56-6ab1-11e8-b639-6451062f0f7a)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Adobe reports :\n\n- This update resolves a type confusion vulnerability that could lead\nto arbitrary code execution (CVE-2018-4945).\n\n- This update resolves an integer overflow vulnerability that could\nlead to information disclosure (CVE-2018-5000).\n\n- This update resolves an out-of-bounds read vulnerability that could\nlead to information disclosure (CVE-2018-5001).\n\n- This update resolves a stack-based buffer overflow vulnerability\nthat could lead to arbitrary code execution (CVE-2018-5002).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://helpx.adobe.com/security/products/flash-player/apsb18-19.html\"\n );\n # https://vuxml.freebsd.org/freebsd/2dde5a56-6ab1-11e8-b639-6451062f0f7a.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?13773e4f\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-5002\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-flashplayer\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"linux-flashplayer<30.0.0.113\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:47:06", "description": "The remote Windows host is missing security update KB4287903. It is, therefore, affected by multiple remote code execution vulnerabilities in Adobe Flash Player.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-08T00:00:00", "type": "nessus", "title": "KB4287903: Security update for Adobe Flash Player (June 2018)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4945", "CVE-2018-5000", "CVE-2018-5001", "CVE-2018-5002"], "modified": "2022-05-25T00:00:00", "cpe": ["cpe:/a:adobe:flash_player"], "id": "SMB_NT_MS18_JUN_4287903.NASL", "href": "https://www.tenable.com/plugins/nessus/110414", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(110414);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/25\");\n\n script_cve_id(\n \"CVE-2018-4945\",\n \"CVE-2018-5000\",\n \"CVE-2018-5001\",\n \"CVE-2018-5002\"\n );\n script_bugtraq_id(104412, 104413);\n script_xref(name:\"MSKB\", value:\"4287903\");\n script_xref(name:\"MSFT\", value:\"MS18-4287903\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n\n script_name(english:\"KB4287903: Security update for Adobe Flash Player (June 2018)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has a browser plugin installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update KB4287903. It is,\ntherefore, affected by multiple remote code execution vulnerabilities\nin Adobe Flash Player.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb18-19.html\");\n # https://support.microsoft.com/en-us/help/4287903/security-update-for-adobe-flash-player\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ea99fd83\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB4287903 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-5002\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:flash_player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_activex_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-06\";\nkbs = make_list('4287903');\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"Windows 8.1\" >!< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (activex_init() != ACX_OK) audit(AUDIT_FN_FAIL, \"activex_init\");\n\n# Adobe Flash Player CLSID\nclsid = '{D27CDB6E-AE6D-11cf-96B8-444553540000}';\n\nfile = activex_get_filename(clsid:clsid);\nif (isnull(file))\n{\n activex_end();\n audit(AUDIT_FN_FAIL, \"activex_get_filename\", \"NULL\");\n}\nif (!file)\n{\n activex_end();\n audit(AUDIT_ACTIVEX_NOT_FOUND, clsid);\n}\n\n# Get its version.\nversion = activex_get_fileversion(clsid:clsid);\nif (!version)\n{\n activex_end();\n audit(AUDIT_VER_FAIL, file);\n}\n\ninfo = '';\n\niver = split(version, sep:'.', keep:FALSE);\nfor (i=0; i<max_index(iver); i++)\n iver[i] = int(iver[i]);\niver = join(iver, sep:\".\");\n\n# all <= 29.0.0.171\nfix = FALSE;\nif(ver_compare(ver:iver, fix:\"29.0.0.171\", strict:FALSE) <= 0)\n fix = \"30.0.0.113\";\n\nif (\n (report_paranoia > 1 || activex_get_killbit(clsid:clsid) == 0) &&\n fix\n)\n{\n info = '\\n Path : ' + file +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n}\n\nport = kb_smb_transport();\n\nif (info != '')\n{\n if (report_paranoia > 1)\n {\n report = info +\n '\\n' +\n 'Note, though, that Nessus did not check whether the kill bit was\\n' +\n \"set for the control's CLSID because of the Report Paranoia setting\" + '\\n' +\n 'in effect when this scan was run.\\n';\n }\n else\n {\n report = info +\n '\\n' +\n 'Moreover, its kill bit is not set so it is accessible via Internet\\n' +\n 'Explorer.\\n';\n }\n replace_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_add_report(bulletin:'MS18-06', kb:'4287903', report);\n security_report_v4(severity:SECURITY_HOLE, port:port, extra:hotfix_get_report());\n}\nelse audit(AUDIT_HOST_NOT, 'affected');\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:47:18", "description": "An update for flash-plugin is now available for Red Hat Enterprise Linux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in.\n\nThis update upgrades Flash Player to version 30.0.0.113.\n\nSecurity Fix(es) :\n\n* flash-plugin: Arbitrary Code Execution vulnerability (APSB18-19) (CVE-2018-4945)\n\n* flash-plugin: Arbitrary Code Execution vulnerability (APSB18-19) (CVE-2018-5002)\n\n* flash-plugin: Information Disclosure vulnerabilities (APSB18-19) (CVE-2018-5000, CVE-2018-5001)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-12T00:00:00", "type": "nessus", "title": "RHEL 6 : flash-plugin (RHSA-2018:1827)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4945", "CVE-2018-5000", "CVE-2018-5001", "CVE-2018-5002"], "modified": "2022-05-25T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:flash-plugin", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2018-1827.NASL", "href": "https://www.tenable.com/plugins/nessus/110469", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:1827. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(110469);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/25\");\n\n script_cve_id(\n \"CVE-2018-4945\",\n \"CVE-2018-5000\",\n \"CVE-2018-5001\",\n \"CVE-2018-5002\"\n );\n script_xref(name:\"RHSA\", value:\"2018:1827\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n\n script_name(english:\"RHEL 6 : flash-plugin (RHSA-2018:1827)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update for flash-plugin is now available for Red Hat Enterprise\nLinux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Critical. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe flash-plugin package contains a Mozilla Firefox compatible Adobe\nFlash Player web browser plug-in.\n\nThis update upgrades Flash Player to version 30.0.0.113.\n\nSecurity Fix(es) :\n\n* flash-plugin: Arbitrary Code Execution vulnerability (APSB18-19)\n(CVE-2018-4945)\n\n* flash-plugin: Arbitrary Code Execution vulnerability (APSB18-19)\n(CVE-2018-5002)\n\n* flash-plugin: Information Disclosure vulnerabilities (APSB18-19)\n(CVE-2018-5000, CVE-2018-5001)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb18-19.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2018:1827\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2018-4945\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2018-5000\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2018-5001\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2018-5002\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected flash-plugin package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-5002\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:flash-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2018:1827\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", reference:\"flash-plugin-30.0.0.113-1.el6_9\")) flag++;\n\n if (flag)\n {\n flash_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check only applies to RedHat released\\n' +\n 'versions of the flash-plugin package. This check does not apply to\\n' +\n 'Adobe released versions of the flash-plugin package, which are\\n' +\n 'versioned similarly and cause collisions in detection.\\n\\n' +\n\n 'If you are certain you are running the Adobe released package of\\n' +\n 'flash-plugin and are running a version of it equal or higher to the\\n' +\n 'RedHat version listed above then you can consider this a false\\n' +\n 'positive.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat() + flash_plugin_caveat\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-plugin\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:49:50", "description": "Versions of Adobe Flash Player prior to 30.0.0.113 are unpatched, and therefore affected by multiple vulnerabilities :\n\n - A type confusion vulnerability exists that could lead to arbitrary code execution. (CVE-2018-4945)\n - An integer overflow vulnerability exists that could lead to information disclosure. (CVE-2018-5000)\n - An out-of-bounds read vulnerability exists that could lead to information disclosure. (CVE-2018-5001)\n - A stack-based buffer overflow vulnerability exists that could lead to arbitrary code execution. (CVE-2018-5002)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-03-20T00:00:00", "type": "nessus", "title": "Flash Player < 30.0.0.113 Multiple Vulnerabilities (APSB18-19)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4945", "CVE-2018-5000", "CVE-2018-5001", "CVE-2018-5002"], "modified": "2019-04-09T00:00:00", "cpe": ["cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*"], "id": "700434.PRM", "href": "https://www.tenable.com/plugins/nnm/700434", "sourceData": "Binary data 700434.prm", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:47:06", "description": "The version of Adobe Flash Player installed on the remote macOS or Mac OS X host is equal or prior to version 29.0.0.171.\nIt is therefore affected by multiple vulnerabilities.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-07T00:00:00", "type": "nessus", "title": "Adobe Flash Player for Mac <= 29.0.0.171 (APSB18-19)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4945", "CVE-2018-5000", "CVE-2018-5001", "CVE-2018-5002"], "modified": "2022-05-25T00:00:00", "cpe": ["cpe:/a:adobe:flash_player"], "id": "MACOSX_FLASH_PLAYER_APSB18-19.NASL", "href": "https://www.tenable.com/plugins/nessus/110396", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(110396);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/25\");\n\n script_cve_id(\n \"CVE-2018-4945\",\n \"CVE-2018-5000\",\n \"CVE-2018-5001\",\n \"CVE-2018-5002\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n\n script_name(english:\"Adobe Flash Player for Mac <= 29.0.0.171 (APSB18-19)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote macOS or Mac OSX host has a browser plugin installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Flash Player installed on the remote macOS or Mac\nOS X host is equal or prior to version 29.0.0.171.\nIt is therefore affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb18-19.html\");\n # http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0cb17c10\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Flash Player version 30.0.0.113 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-5002\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:flash_player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_flash_player_installed.nasl\");\n script_require_keys(\"MacOSX/Flash_Player/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"MacOSX/Flash_Player/Version\");\npath = get_kb_item_or_exit(\"MacOSX/Flash_Player/Path\");\n\ncutoff_version = \"29.0.0.171\";\nfix = \"30.0.0.113\";\n# We're checking for versions less than or equal to the cutoff!\nif (ver_compare(ver:version, fix:cutoff_version, strict:FALSE) <= 0)\n{\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(severity:SECURITY_HOLE, port:0, extra:report);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"Flash Player for Mac\", version, path);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:46:52", "description": "The remote host is affected by the vulnerability described in GLSA-201806-02 (Adobe Flash Player: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Adobe Flash Player.\n Please review the CVE identifiers referenced below for details.\n Impact :\n\n A remote attacker could possibly execute arbitrary code with the privileges of the process or obtain sensitive information.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-14T00:00:00", "type": "nessus", "title": "GLSA-201806-02 : Adobe Flash Player: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4944", "CVE-2018-4945", "CVE-2018-5000", "CVE-2018-5001", "CVE-2018-5002"], "modified": "2022-05-27T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:adobe-flash", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201806-02.NASL", "href": "https://www.tenable.com/plugins/nessus/110523", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201806-02.\n#\n# The advisory text is Copyright (C) 2001-2022 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110523);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/27\");\n\n script_cve_id(\"CVE-2018-4944\", \"CVE-2018-4945\", \"CVE-2018-5000\", \"CVE-2018-5001\", \"CVE-2018-5002\");\n script_xref(name:\"GLSA\", value:\"201806-02\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n\n script_name(english:\"GLSA-201806-02 : Adobe Flash Player: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-201806-02\n(Adobe Flash Player: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Adobe Flash Player.\n Please review the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could possibly execute arbitrary code with the\n privileges of the process or obtain sensitive information.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201806-02\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All Adobe Flash Player users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=www-plugins/adobe-flash-30.0.0.113'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-5002\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:adobe-flash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-plugins/adobe-flash\", unaffected:make_list(\"ge 30.0.0.113\"), vulnerable:make_list(\"lt 30.0.0.113\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Adobe Flash Player\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "archlinux": [{"lastseen": "2021-07-28T14:34:03", "description": "Arch Linux Security Advisory ASA-201806-7\n=========================================\n\nSeverity: Critical\nDate : 2018-06-09\nCVE-ID : CVE-2018-4945 CVE-2018-5000 CVE-2018-5001 CVE-2018-5002\nPackage : flashplugin\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-716\n\nSummary\n=======\n\nThe package flashplugin before version 30.0.0.113-1 is vulnerable to\nmultiple issues including arbitrary code execution and information\ndisclosure.\n\nResolution\n==========\n\nUpgrade to 30.0.0.113-1.\n\n# pacman -Syu \"flashplugin>=30.0.0.113-1\"\n\nThe problems have been fixed upstream in version 30.0.0.113.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2018-4945 (arbitrary code execution)\n\nA type confusion issue has been found in Adobe Flash Player before\n30.0.0.113, leading to arbitrary code execution.\n\n- CVE-2018-5000 (information disclosure)\n\nAn integer overflow issue has been found in Adobe Flash Player before\n30.0.0.113, leading to information disclosure.\n\n- CVE-2018-5001 (information disclosure)\n\nAn out-of-bounds read has been found in Adobe Flash Player before\n30.0.0.113, leading to information disclosure.\n\n- CVE-2018-5002 (arbitrary code execution)\n\nA stack-based buffer overflow has been found in Adobe Flash Player\nbefore 30.0.0.113, leading to arbitrary code execution.\n\nImpact\n======\n\nA remote attacker can access sensitive information or execute arbitrary\ncode via a crafted Flash file.\n\nReferences\n==========\n\nhttps://helpx.adobe.com/security/products/flash-player/apsb18-19.html\nhttps://security.archlinux.org/CVE-2018-4945\nhttps://security.archlinux.org/CVE-2018-5000\nhttps://security.archlinux.org/CVE-2018-5001\nhttps://security.archlinux.org/CVE-2018-5002", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-09T00:00:00", "type": "archlinux", "title": "[ASA-201806-7] flashplugin: multiple issues", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4945", "CVE-2018-5000", "CVE-2018-5001", "CVE-2018-5002"], "modified": "2018-06-09T00:00:00", "id": "ASA-201806-7", "href": "https://security.archlinux.org/ASA-201806-7", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "trendmicroblog": [{"lastseen": "2018-06-08T16:23:49", "description": "\n\nIt was a busy day yesterday, with Adobe issuing four emergency patches for their Flash Player, including one for a zero-day being actively exploited in the wild. Adobe has [indicated](<https://helpx.adobe.com/security/products/flash-player/apsb18-19.html>) that CVE-2018-5002 was discovered being used in limited, targeted attacks on Windows users in the wild. The attacks use Microsoft Office documents embedded with malicious Flash Player content.\n\nThree of the four CVEs were found through our Zero Day Initiative:\n\n| \n\n * CVE-2018-4945: Jihui Lu of Tencent KeenLab and willJ of Tencent PC Manager working with Trend Micro's Zero Day Initiative\n * CVE-2018-5000: Anonymously reported through Trend Micro's Zero Day Initiative\n * CVE-2018-5001: Anonymously reported through Trend Micro's Zero Day Initiative\n * CVE-2018-5002: Independently identified and reported by the following organizations and individuals: Chenming Xu and Jason Jones of ICEBRG, Bai Haowen, Zeng Haitao and Huang Chaowen of 360 Threat Intelligence Center of 360 Enterprise Security Group, and Yang Kang, Hu Jiang, Zhang Qing, and Jin Quan of Qihoo 360 Core Security (@360CoreSec), Tencent PC Manager \n---|--- \n| \n \nWe issued an out-of-band Digital Vaccine (DV) package to address these vulnerabilities:\n\n**Bulletin #** | **CVE #** | **Digital Vaccine Filter** \n---|---|--- \nAPSB18-19 | CVE-2018-4945 | 32133: HTTP: Adobe Flash MovieClip object Memory Corruption Vulnerability (ZDI-18-570) \nAPSB18-19 | CVE-2018-5000 | 32134: HTTP: Adobe Flash RTMP Information Disclosure Vulnerability (ZDI-18-569) \nAPSB18-19 | CVE-2018-5001 | 32132: HTTP: Adobe Flash ApplyFilter Method Information Disclosure Vulnerability (ZDI-18-568) \nAPSB18-19 | CVE-2018-5002 | 32131: HTTP: Adobe Flash XLSX li8 Buffer Overflow Vulnerability \n \n \n\n**Zero-Day Filters**\n\nThere are 16 new zero-day filters covering 10 vendors in this week\u2019s Digital Vaccine (DV) package. A number of existing filters in this week\u2019s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of [published advisories](<http://www.zerodayinitiative.com/advisories/published/>) and [upcoming advisories](<http://www.zerodayinitiative.com/advisories/upcoming/>) on the [Zero Day Initiative](<http://www.zerodayinitiative.com/>) website. You can also follow the Zero Day Initiative on Twitter [@thezdi](<https://twitter.com/thezdi>) and on their [blog](<https://www.zerodayinitiative.com/blog>).\n\n**_Adobe (1)_**\n\n| \n\n * 31950: HTTP: Adobe Acrobat Pro DC ImageConversion EMF Parsing Out-Of-Bounds Read Vulnerability (ZDI-18-213) \n---|--- \n| \n \n**_Advantech (4)_**\n\n| \n\n * 31848: HTTP: Advantech WebAccess Node uMailLogin Proj SQL Injection Vulnerability (ZDI-18-144)\n * 31954: HTTP: Advantech WebAccess Node screnc Buffer Overflow Vulnerability (ZDI-18-498)\n * 31957: RPC: Advantech WebAccess Node bwmakdir Buffer Overflow Vulnerability (ZDI-18-497)\n * 31973: HTTP: Advantech WebAccess NMS DownloadAction Directory Traversal Vulnerability (ZDI-18-471) \n---|--- \n| \n \n**_Apple (2)_**\n\n| \n\n * 31943: HTTP: Apple Safari Spread Operator Type Confusion Vulnerability (ZDI-18-271)\n * 31951: HTTP: Apple Safari RenderLayer Use-After-Free Vulnerability (ZDI-18-274) \n---|--- \n| \n \n**_Foxit (2)_**\n\n| \n\n * 31941: HTTP: Foxit Reader Text Annotations Use-After-Free Vulnerability (ZDI-18-342)\n * 31945: HTTP: Foxit Reader XFA execEvent Use-After-Free Vulnerability (ZDI-18-354) \n---|--- \n| \n \n**_Microsoft (1)_**\n\n| \n\n * 31952: HTTP: Microsoft Windows VBScript Filter Function Memory Corruption Vulnerability (ZDI-18-296) \n---|--- \n| \n \n**_Novell (1)_**\n\n| \n\n * 31840: HTTP: Novell NetIQ Access Manager FwRequest Unrestricted File Upload (ZDI-18-145) \n---|--- \n| \n \n**_OMRON (1)_**\n\n| \n\n * 29983: HTTP: OMRON CX-Supervisor SCS Alarm Object Use-After-Free Vulnerability (ZDI-18-255) \n---|--- \n| \n \n**_Spotify (1)_**\n\n| \n\n * 31958: HTTP: Spotify Music Player URI Parsing Command Injection Vulnerability (ZDI-18-280) \n---|--- \n| \n \n**_Trend Micro (1)_**\n\n| \n\n * 31949: HTTP: Trend Micro Smart Protection Server Auth Command Injection Vulnerability (ZDI-18-218) \n---|--- \n| \n \n**_WECON (2)_**\n\n| \n\n * 31879: ZDI-CAN-5788: Zero Day Initiative Vulnerability (WECON LeviStudioU)\n * 31881: ZDI-CAN-5794,5795: Zero Day Initiative Vulnerability (WECON LeviStudioU) \n---|--- \n| \n \n**Missed Last Week\u2019s News?**\n\nCatch up on last week\u2019s news in my [weekly recap](<https://blog.trendmicro.com/tippingpoint-threat-intelligence-and-zero-day-coverage-week-of-may-28-2018/>).\n\nThe post [TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of June 4, 2018](<https://blog.trendmicro.com/tippingpoint-threat-intelligence-and-zero-day-coverage-week-of-june-4-2018/>) appeared first on [](<https://blog.trendmicro.com>).", "cvss3": {}, "published": "2018-06-08T15:12:05", "type": "trendmicroblog", "title": "TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of June 4, 2018", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-4945", "CVE-2018-5000", "CVE-2018-5001", "CVE-2018-5002"], "modified": "2018-06-08T15:12:05", "id": "TRENDMICROBLOG:2E1DD618823C4F9E766FE77AB4EB8913", "href": "https://blog.trendmicro.com/tippingpoint-threat-intelligence-and-zero-day-coverage-week-of-june-4-2018/", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2019-10-24T21:13:51", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2018-06-08T00:00:00", "type": "openvas", "title": "Adobe Flash Player Security Updates(apsb18-19)-MAC OS X", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-5001", "CVE-2018-5002", "CVE-2018-5000", "CVE-2018-4945"], "modified": "2019-10-23T00:00:00", "id": "OPENVAS:1361412562310813397", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813397", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Security Updates(apsb18-19)-MAC OS X\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813397\");\n script_version(\"2019-10-23T10:55:06+0000\");\n script_cve_id(\"CVE-2018-5002\", \"CVE-2018-4945\", \"CVE-2018-5000\", \"CVE-2018-5001\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-10-23 10:55:06 +0000 (Wed, 23 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-08 12:20:32 +0530 (Fri, 08 Jun 2018)\");\n script_name(\"Adobe Flash Player Security Updates(apsb18-19)-MAC OS X\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws exists due to,\n\n - A type confusion error.\n\n - An integer overflow error.\n\n - An out-of-bounds read error.\n\n - A stack-based buffer overflow error.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to conduct arbitrary code execution and disclosure of sensitive\n information.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player version before\n 30.0.0.113 on MAC OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player version\n 30.0.0.113, or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb18-19.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Adobe/Flash/Player/MacOSX/Version\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE )) exit(0);\nvers = infos['version'];\npath = infos['location'];\n\nif(version_is_less(version:vers, test_version:\"30.0.0.113\"))\n{\n report = report_fixed_ver(installed_version:vers, fixed_version:\"30.0.0.113\", install_path:path);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-24T21:14:43", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2018-06-08T00:00:00", "type": "openvas", "title": "Adobe Flash Player Security Updates(apsb18-19)-Linux", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-5001", "CVE-2018-5002", "CVE-2018-5000", "CVE-2018-4945"], "modified": "2019-10-23T00:00:00", "id": "OPENVAS:1361412562310813398", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813398", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Security Updates(apsb18-19)-Linux\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813398\");\n script_version(\"2019-10-23T10:55:06+0000\");\n script_cve_id(\"CVE-2018-5002\", \"CVE-2018-4945\", \"CVE-2018-5000\", \"CVE-2018-5001\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-10-23 10:55:06 +0000 (Wed, 23 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-08 12:20:33 +0530 (Fri, 08 Jun 2018)\");\n script_name(\"Adobe Flash Player Security Updates(apsb18-19)-Linux\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws exists due to,\n\n - A type confusion error.\n\n - An integer overflow error.\n\n - An out-of-bounds read error.\n\n - A stack-based buffer overflow error.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to conduct arbitrary code execution and disclosure of sensitive\n information.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player version before\n 30.0.0.113 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player version\n 30.0.0.113, or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb18-19.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_lin.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Linux/Ver\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE )) exit(0);\nvers = infos['version'];\npath = infos['location'];\n\nif(version_is_less(version:vers, test_version:\"30.0.0.113\"))\n{\n report = report_fixed_ver(installed_version:vers, fixed_version:\"30.0.0.113\", install_path:path);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-24T21:14:40", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2018-06-08T00:00:00", "type": "openvas", "title": "Adobe Flash Player Within Google Chrome Security Update(apsb18-19)-Linux", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-5001", "CVE-2018-5002", "CVE-2018-5000", "CVE-2018-4945"], "modified": "2019-10-23T00:00:00", "id": "OPENVAS:1361412562310813400", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813400", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Within Google Chrome Security Update(apsb18-19)-Linux\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player_chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813400\");\n script_version(\"2019-10-23T10:55:06+0000\");\n script_cve_id(\"CVE-2018-5002\", \"CVE-2018-4945\", \"CVE-2018-5000\", \"CVE-2018-5001\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-10-23 10:55:06 +0000 (Wed, 23 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-08 12:21:40 +0530 (Fri, 08 Jun 2018)\");\n script_name(\"Adobe Flash Player Within Google Chrome Security Update(apsb18-19)-Linux\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws exists due to,\n\n - A type confusion error.\n\n - An integer overflow error.\n\n - An out-of-bounds read error.\n\n - A stack-based buffer overflow error.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to conduct arbitrary code execution and disclosure of sensitive\n information.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player prior to 30.0.0.113\n within Google Chrome on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player for\n Google Chrome 30.0.0.113, or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb18-19.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_flash_player_within_google_chrome_detect_lin.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Chrome/Lin/Ver\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE )) exit(0);\nvers = infos['version'];\npath = infos['location'];\n\nif(version_is_less(version:vers, test_version:\"30.0.0.113\"))\n{\n report = report_fixed_ver(installed_version:vers, fixed_version:\"30.0.0.113\", install_path:path);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-24T21:14:23", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2018-06-08T00:00:00", "type": "openvas", "title": "Adobe Flash Player Within Google Chrome Security Update(apsb18-19)-MAC OS X", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-5001", "CVE-2018-5002", "CVE-2018-5000", "CVE-2018-4945"], "modified": "2019-10-23T00:00:00", "id": "OPENVAS:1361412562310813601", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813601", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Within Google Chrome Security Update(apsb18-19)-MAC OS X\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player_chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813601\");\n script_version(\"2019-10-23T10:55:06+0000\");\n script_cve_id(\"CVE-2018-5002\", \"CVE-2018-4945\", \"CVE-2018-5000\", \"CVE-2018-5001\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-10-23 10:55:06 +0000 (Wed, 23 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-08 12:21:41 +0530 (Fri, 08 Jun 2018)\");\n script_name(\"Adobe Flash Player Within Google Chrome Security Update(apsb18-19)-MAC OS X\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws exists due to,\n\n - A type confusion error.\n\n - An integer overflow error.\n\n - An out-of-bounds read error.\n\n - A stack-based buffer overflow error.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to conduct arbitrary code execution and disclosure of sensitive\n information.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player prior to 30.0.0.113\n within Google Chrome on MAC OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player for\n Google Chrome 30.0.0.113, or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb18-19.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_flash_player_within_google_chrome_detect_macosx.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Chrome/MacOSX/Ver\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE )) exit(0);\nvers = infos['version'];\npath = infos['location'];\n\nif(version_is_less(version:vers, test_version:\"30.0.0.113\"))\n{\n report = report_fixed_ver(installed_version:vers, fixed_version:\"30.0.0.113\", install_path:path);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-24T21:14:05", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2018-06-08T00:00:00", "type": "openvas", "title": "Adobe Flash Player Within Google Chrome Security Update(apsb18-19)-Windows", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-5001", "CVE-2018-5002", "CVE-2018-5000", "CVE-2018-4945"], "modified": "2019-10-23T00:00:00", "id": "OPENVAS:1361412562310813399", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813399", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Within Google Chrome Security Update(apsb18-19)-Windows\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player_chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813399\");\n script_version(\"2019-10-23T10:55:06+0000\");\n script_cve_id(\"CVE-2018-5002\", \"CVE-2018-4945\", \"CVE-2018-5000\", \"CVE-2018-5001\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-10-23 10:55:06 +0000 (Wed, 23 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-08 12:21:39 +0530 (Fri, 08 Jun 2018)\");\n script_name(\"Adobe Flash Player Within Google Chrome Security Update(apsb18-19)-Windows\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws exists due to,\n\n - A type confusion error.\n\n - An integer overflow error.\n\n - An out-of-bounds read error.\n\n - A stack-based buffer overflow error.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to conduct arbitrary code execution and disclosure of sensitive\n information.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player prior to 30.0.0.113\n within Google Chrome on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player for\n Google Chrome 30.0.0.113, or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb18-19.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_flash_player_within_google_chrome_detect_win.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Chrome/Win/Ver\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE )) exit(0);\nvers = infos['version'];\npath = infos['location'];\n\nif(version_is_less(version:vers, test_version:\"30.0.0.113\"))\n{\n report = report_fixed_ver(installed_version:vers, fixed_version:\"30.0.0.113\", install_path:path);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-24T21:14:57", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2018-06-08T00:00:00", "type": "openvas", "title": "Adobe Flash Player Security Updates(apsb18-19)-Windows", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-5001", "CVE-2018-5002", "CVE-2018-5000", "CVE-2018-4945"], "modified": "2019-10-23T00:00:00", "id": "OPENVAS:1361412562310813396", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813396", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Security Updates(apsb18-19)-Windows\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813396\");\n script_version(\"2019-10-23T10:55:06+0000\");\n script_cve_id(\"CVE-2018-5002\", \"CVE-2018-4945\", \"CVE-2018-5000\", \"CVE-2018-5001\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-10-23 10:55:06 +0000 (Wed, 23 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-08 12:20:31 +0530 (Fri, 08 Jun 2018)\");\n script_name(\"Adobe Flash Player Security Updates(apsb18-19)-Windows\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws exists due to,\n\n - A type confusion error.\n\n - An integer overflow error.\n\n - An out-of-bounds read error.\n\n - A stack-based buffer overflow error.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to conduct arbitrary code execution and disclosure of sensitive\n information.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player version before\n 30.0.0.113 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player version\n 30.0.0.113, or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb18-19.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_win.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Win/Ver\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE )) exit(0);\nvers = infos['version'];\npath = infos['location'];\n\nif(version_is_less(version:vers, test_version:\"30.0.0.113\"))\n{\n report = report_fixed_ver(installed_version:vers, fixed_version:\"30.0.0.113\", install_path:path);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2021-10-19T20:40:03", "description": "The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in.\n\nThis update upgrades Flash Player to version 30.0.0.113.\n\nSecurity Fix(es):\n\n* flash-plugin: Arbitrary Code Execution vulnerability (APSB18-19) (CVE-2018-4945)\n\n* flash-plugin: Arbitrary\u00a0Code Execution vulnerability (APSB18-19) (CVE-2018-5002)\n\n* flash-plugin: Information Disclosure vulnerabilities (APSB18-19) (CVE-2018-5000, CVE-2018-5001)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-11T12:45:39", "type": "redhat", "title": "(RHSA-2018:1827) Critical: flash-plugin security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4945", "CVE-2018-5000", "CVE-2018-5001", "CVE-2018-5002"], "modified": "2018-06-12T21:25:25", "id": "RHSA-2018:1827", "href": "https://access.redhat.com/errata/RHSA-2018:1827", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:31", "description": "\n\nAdobe reports:\n\n\nThis update resolves a type confusion vulnerability that\n\t could lead to arbitrary code execution (CVE-2018-4945).\nThis update resolves an integer overflow vulnerability that\n\t could lead to information disclosure (CVE-2018-5000).\nThis update resolves an out-of-bounds read vulnerability that\n\t could lead to information disclosure (CVE-2018-5001).\nThis update resolves a stack-based buffer overflow vulnerability that\n\t could lead to arbitrary code execution (CVE-2018-5002).\n\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-07T00:00:00", "type": "freebsd", "title": "Flash Player -- multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4945", "CVE-2018-5000", "CVE-2018-5001", "CVE-2018-5002"], "modified": "2018-07-11T00:00:00", "id": "2DDE5A56-6AB1-11E8-B639-6451062F0F7A", "href": "https://vuxml.freebsd.org/freebsd/2dde5a56-6ab1-11e8-b639-6451062f0f7a.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2022-10-26T18:28:14", "description": "This security update addresses the following vulnerabilities, which are described in Adobe Security Bulletin [APSB18-19](<http://helpx.adobe.com/security/products/flash-player/apsb18-19.html>): CVE-2018-4945, CVE-2018-5000, CVE-2018-5001, CVE-2018-5002.\n", "edition": 1, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-07T07:00:00", "type": "mscve", "title": "June 2018 Adobe Flash Security Update", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5001", "CVE-2018-5002", "CVE-2018-5000", "CVE-2018-4945"], "modified": "2018-06-07T07:00:00", "id": "MS:ADV180014", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV180014", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2022-01-17T19:04:16", "description": "### Background\n\nThe Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Adobe Flash Player. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process or obtain sensitive information. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Adobe Flash Player users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=www-plugins/adobe-flash-30.0.0.113\"", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-13T00:00:00", "type": "gentoo", "title": "Adobe Flash Player: Multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4944", "CVE-2018-4945", "CVE-2018-5000", "CVE-2018-5001", "CVE-2018-5002"], "modified": "2018-06-13T00:00:00", "id": "GLSA-201806-02", "href": "https://security.gentoo.org/glsa/201806-02", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2021-12-22T23:55:08", "description": "### *Detect date*:\n06/06/2018\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Adobe Flash player. Malicious users can exploit these vulnerabilities to execute arbitrary code and obtain sensitive information.\n\n### *Affected products*:\nAdobe Flash player NPAPI earlier than 30.0.0.113 \nAdobe Flash player PPAPI earlier than 30.0.0.113 \nAdobe Flash player ActiveX earlier than 30.0.0.113\n\n### *Solution*:\nUpdate to the latest version \n[Flash Player Download Center](<https://get.adobe.com/flashplayer/>)\n\n### *Original advisories*:\n[APSB18-19](<https://helpx.adobe.com/security/products/flash-player/apsb18-19.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Adobe Flash Player ActiveX](<https://threats.kaspersky.com/en/product/Adobe-Flash-Player-ActiveX/>)\n\n### *CVE-IDS*:\n[CVE-2018-4945](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4945>)6.8High \n[CVE-2018-5000](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5000>)4.3Warning \n[CVE-2018-5001](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5001>)4.3Warning\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-06T00:00:00", "type": "kaspersky", "title": "KLA11261 Multiple vulnerabilities in Adobe Flash player", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4945", "CVE-2018-5000", "CVE-2018-5001"], "modified": "2020-06-18T00:00:00", "id": "KLA11261", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11261/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:40:29", "description": "[](<https://thehackernews.com/images/-k6QCPtxwTZE/WxlTMrG5lfI/AAAAAAAAw_k/bo_WNUgDaAkgJr1kVhgRZJyFc037GljMQCLcBGAs/s728-e100/flash-player-zero-day-exploit.png>)\n\nIf you have already uninstalled Flash player, well done! But if you haven't, here's another great reason for ditching it. \n \nAdobe has [released](<https://helpx.adobe.com/security/products/flash-player/apsb18-19.html>) a security patch update for a critical vulnerability in its Flash Player software that is actively being exploited in the wild by hackers in targeted attacks against Windows users. \n \nIndependently discovered last week by several security firms\u2014including [ICEBRG](<https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack>), [Qihoo 360](<https://blogs.360.cn/blog/cve-2018-5002-en/>) and Tencent\u2014the Adobe Flash player zero-day attacks have primarily been targeting users in the Middle East using a specially crafted Excel spreadsheet. \n \n\n\n> \"The hackers carefully constructed an Office document that remotely loaded Flash vulnerability. When the document was opened, all the exploit code and malicious payload were delivered through remote servers,\" Qihoo 360 published vulnerability analysis in a blog post.\n\n \nThe stack-based buffer overflow vulnerability, tracked as CVE-2018-5002, impacts Adobe Flash Player 29.0.0.171 and earlier versions on Windows, MacOS, and Linux, as well as Adobe Flash Player for Google Chrome, and can be exploited to achieve arbitrary code execution on targeted systems. \n\n\n[](<https://thehackernews.com/images/-x-GKe265Wi0/WxlUPkJ3oVI/AAAAAAAAw_s/M8FBkOiBGBEaQ_MjIDZU-vmOSLgqUdCzgCLcBGAs/s728-e100/flash-player-zero-day-vulnerability.png>)\n\nThe vulnerability resides in the interpreter code of the Flash Player that handles static-init methods, which fails to correctly handle the exceptions for try/catch statements. \n \n\n\n> \"Because Flash assumes that it is impossible to execute to the catch block when processing the try catch statement, it does not check the bytecode in the catch block,\" the researchers explain. \"The attacker uses the getlocal, setlocal instruction in the catch block to read and write arbitrary addresses on the stack.\"\n\n \nThe registration date for a web domain, mimicking a job search website in the Middle East, used as the command and control (C&amp;C) server for zero-day attacks suggests that hackers have been making preparations for the attack since February. \n \nBesides the patch for CVE-2018-5002, Adobe also rolled out security updates for two \"important\" vulnerabilities\u2014including Integer Overflow bug (CVE-2018-5000) and an Out-of-bounds read issue (CVE-2018-5001)\u2014both of which lead to information disclosure. \n \nSo, users are highly recommended to immediately update their Adobe Flash Player to versions 30.0.0.113 via their update mechanism within the software or by visiting the Adobe Flash Player Download Center.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-07T15:51:00", "type": "thn", "title": "Adobe Issues Patch for Actively Exploited Flash Player Zero-Day Exploit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5000", "CVE-2018-5001", "CVE-2018-5002"], "modified": "2018-06-07T16:53:39", "id": "THN:A63890B8ADE3B23F098107F5CC398A2F", "href": "https://thehackernews.com/2018/06/flash-player-zero-day-exploit.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mageia": [{"lastseen": "2022-04-18T11:19:34", "description": "Updated flash-player-plugin packages fixes the following security issues A remote attacker could possibly execute arbitrary code with the privileges of the process or obtain sensitive information (CVE-2018-4945, CVE-2018-5000, CVE-2018-5001, CVE-2018-5002). In response to a class of recently disclosed vulnerabilities in popular CPU hardware related to data cache timing (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754), known popularly as Spectre and Meltdown, Adobe are disabling the \u2018shareable\u2019 property of the ActionScript ByteArray class by default. For more info see the referenced adobe release notes. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T09:28:36", "type": "mageia", "title": "Updated flash-player-plugin packages fixes security issues\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5715", "CVE-2017-5753", "CVE-2017-5754", "CVE-2018-4945", "CVE-2018-5000", "CVE-2018-5001", "CVE-2018-5002"], "modified": "2018-06-16T09:28:36", "id": "MGASA-2018-0286", "href": "https://advisories.mageia.org/MGASA-2018-0286.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "redhatcve": [{"lastseen": "2023-02-01T05:22:24", "description": "Adobe Flash Player versions 29.0.0.171 and earlier have an Integer Overflow vulnerability. Successful exploitation could lead to information disclosure.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2018-06-07T13:20:02", "type": "redhatcve", "title": "CVE-2018-5000", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5000", "CVE-2018-5001"], "modified": "2023-02-01T04:18:42", "id": "RH:CVE-2018-5000", "href": "https://access.redhat.com/security/cve/cve-2018-5000", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-01T05:22:23", "description": "Adobe Flash Player versions 29.0.0.171 and earlier have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2019-10-11T15:56:27", "type": "redhatcve", "title": "CVE-2018-5001", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5000", "CVE-2018-5001"], "modified": "2023-02-01T04:18:45", "id": "RH:CVE-2018-5001", "href": "https://access.redhat.com/security/cve/cve-2018-5001", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-01T05:22:25", "description": "Adobe Flash Player versions 29.0.0.171 and earlier have a Type Confusion vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-06-07T13:18:56", "type": "redhatcve", "title": "CVE-2018-4945", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4945"], "modified": "2023-02-01T04:18:41", "id": "RH:CVE-2018-4945", "href": "https://access.redhat.com/security/cve/cve-2018-4945", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-01T05:22:25", "description": "Adobe Flash Player versions 29.0.0.171 and earlier have a Stack-based buffer overflow vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-07T13:19:11", "type": "redhatcve", "title": "CVE-2018-5002", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5002"], "modified": "2023-02-01T04:18:47", "id": "RH:CVE-2018-5002", "href": "https://access.redhat.com/security/cve/cve-2018-5002", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T17:38:00", "description": "Adobe Flash Player versions 29.0.0.171 and earlier have a Type Confusion vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-07-09T19:29:00", "type": "cve", "title": "CVE-2018-4945", "cwe": ["CWE-704"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4945"], "modified": "2019-03-07T20:16:00", "cpe": ["cpe:/a:adobe:flash_player:29.0.0.171", "cpe:/o:redhat:enterprise_linux_desktop:6.0", "cpe:/o:redhat:enterprise_linux_workstation:6.0", "cpe:/a:adobe:flash_player_desktop_runtime:29.0.0.171", "cpe:/o:redhat:enterprise_linux_server:6.0"], "id": "CVE-2018-4945", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4945", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player_desktop_runtime:29.0.0.171:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:29.0.0.171:*:*:*:*:chrome:*:*", "cpe:2.3:a:adobe:flash_player:29.0.0.171:*:*:*:*:internet_explorer_11:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:29.0.0.171:*:*:*:*:edge:*:*"]}, {"lastseen": "2022-03-23T17:38:54", "description": "Adobe Flash Player versions 29.0.0.171 and earlier have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2018-07-09T19:29:00", "type": "cve", "title": "CVE-2018-5001", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5001"], "modified": "2019-03-07T20:16:00", "cpe": ["cpe:/a:adobe:flash_player:29.0.0.171", "cpe:/o:redhat:enterprise_linux_desktop:6.0", "cpe:/o:redhat:enterprise_linux_workstation:6.0", "cpe:/a:adobe:flash_player_desktop_runtime:29.0.0.171", "cpe:/o:redhat:enterprise_linux_server:6.0"], "id": "CVE-2018-5001", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5001", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player_desktop_runtime:29.0.0.171:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:29.0.0.171:*:*:*:*:chrome:*:*", "cpe:2.3:a:adobe:flash_player:29.0.0.171:*:*:*:*:internet_explorer_11:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:29.0.0.171:*:*:*:*:edge:*:*"]}, {"lastseen": "2022-03-23T17:38:55", "description": "Adobe Flash Player versions 29.0.0.171 and earlier have a Stack-based buffer overflow vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-07-09T19:29:00", "type": "cve", "title": "CVE-2018-5002", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5002"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/a:adobe:flash_player:29.0.0.171", "cpe:/o:redhat:enterprise_linux_desktop:6.0", "cpe:/o:redhat:enterprise_linux_workstation:6.0", "cpe:/a:adobe:flash_player_desktop_runtime:29.0.0.171", "cpe:/o:redhat:enterprise_linux_server:6.0"], "id": "CVE-2018-5002", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5002", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player_desktop_runtime:29.0.0.171:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:29.0.0.171:*:*:*:*:chrome:*:*", "cpe:2.3:a:adobe:flash_player:29.0.0.171:*:*:*:*:internet_explorer_11:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:29.0.0.171:*:*:*:*:edge:*:*"]}, {"lastseen": "2022-03-23T17:38:55", "description": "Adobe Flash Player versions 29.0.0.171 and earlier have an Integer Overflow vulnerability. Successful exploitation could lead to information disclosure.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2018-07-09T19:29:00", "type": "cve", "title": "CVE-2018-5000", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5000"], "modified": "2019-03-07T20:16:00", "cpe": ["cpe:/a:adobe:flash_player:29.0.0.171", "cpe:/o:redhat:enterprise_linux_desktop:6.0", "cpe:/o:redhat:enterprise_linux_workstation:6.0", "cpe:/a:adobe:flash_player_desktop_runtime:29.0.0.171", "cpe:/o:redhat:enterprise_linux_server:6.0"], "id": "CVE-2018-5000", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5000", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player_desktop_runtime:29.0.0.171:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:29.0.0.171:*:*:*:*:chrome:*:*", "cpe:2.3:a:adobe:flash_player:29.0.0.171:*:*:*:*:internet_explorer_11:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:29.0.0.171:*:*:*:*:edge:*:*"]}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:28:17", "description": "A type confusion vulnerability exists in Adobe Flash Player. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-12T00:00:00", "type": "checkpoint_advisories", "title": "Adobe Flash Player Type Confusion (APSB18-19: CVE-2018-4945)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4945"], "modified": "2018-06-12T00:00:00", "id": "CPAI-2018-0537", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-17T11:28:15", "description": "A out of bounds read vulnerability exists in Adobe Flash Player. Successful exploitation of this vulnerability could allow a remote attacker to obtain sensitive information.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-06-12T00:00:00", "type": "checkpoint_advisories", "title": "Adobe Flash Player Out-of-bounds read (APSB18-19: CVE-2018-5001)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5001"], "modified": "2018-06-12T00:00:00", "id": "CPAI-2018-0539", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-12-17T11:28:20", "description": "A buffer overflow vulnerability exists in Adobe Flash Player. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system or cause application crashes.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-07T00:00:00", "type": "checkpoint_advisories", "title": "Adobe Flash Player Buffer Overflow (CVE-2018-5002)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5002"], "modified": "2018-06-07T00:00:00", "id": "CPAI-2018-0535", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T11:28:14", "description": "An integer overflow vulnerability exists in Adobe Flash Player. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-06-12T00:00:00", "type": "checkpoint_advisories", "title": "Adobe Flash Player Integer Overflow (APSB18-19: CVE-2018-5000)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5000"], "modified": "2018-06-12T00:00:00", "id": "CPAI-2018-0538", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "zdi": [{"lastseen": "2022-01-31T21:50:21", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Flash. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Microphone objects. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code under the context of the current process.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-07T00:00:00", "type": "zdi", "title": "Adobe Flash Microphone Type Confusion Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4945"], "modified": "2018-06-07T00:00:00", "id": "ZDI-18-570", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-570/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-31T21:50:19", "description": "This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Adobe Flash. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of BitmapData objects. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-06-07T00:00:00", "type": "zdi", "title": "Adobe Flash Player BitmapData applyFilter Out-Of-Bounds Read Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5001"], "modified": "2018-06-07T00:00:00", "id": "ZDI-18-568", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-568/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-01-31T21:50:19", "description": "This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Adobe Flash. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists in the handling of RTMP data. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before reading from memory. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-06-07T00:00:00", "type": "zdi", "title": "Adobe Flash RTMP Parsing Integer Overflow Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5000"], "modified": "2018-06-07T00:00:00", "id": "ZDI-18-569", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-569/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "ubuntucve": [{"lastseen": "2022-08-04T13:48:15", "description": "Adobe Flash Player versions 29.0.0.171 and earlier have a Type Confusion\nvulnerability. Successful exploitation could lead to arbitrary code\nexecution in the context of the current user.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-07-09T00:00:00", "type": "ubuntucve", "title": "CVE-2018-4945", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4945"], "modified": "2018-07-09T00:00:00", "id": "UB:CVE-2018-4945", "href": "https://ubuntu.com/security/CVE-2018-4945", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-04T13:48:15", "description": "Adobe Flash Player versions 29.0.0.171 and earlier have an Out-of-bounds\nread vulnerability. Successful exploitation could lead to information\ndisclosure.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2018-07-09T00:00:00", "type": "ubuntucve", "title": "CVE-2018-5001", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5001"], "modified": "2018-07-09T00:00:00", "id": "UB:CVE-2018-5001", "href": "https://ubuntu.com/security/CVE-2018-5001", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-04T13:48:15", "description": "Adobe Flash Player versions 29.0.0.171 and earlier have a Stack-based\nbuffer overflow vulnerability. Successful exploitation could lead to\narbitrary code execution in the context of the current user.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-07-09T00:00:00", "type": "ubuntucve", "title": "CVE-2018-5002", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5002"], "modified": "2018-07-09T00:00:00", "id": "UB:CVE-2018-5002", "href": "https://ubuntu.com/security/CVE-2018-5002", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T13:48:16", "description": "Adobe Flash Player versions 29.0.0.171 and earlier have an Integer Overflow\nvulnerability. Successful exploitation could lead to information\ndisclosure.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2018-07-09T00:00:00", "type": "ubuntucve", "title": "CVE-2018-5000", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5000"], "modified": "2018-07-09T00:00:00", "id": "UB:CVE-2018-5000", "href": "https://ubuntu.com/security/CVE-2018-5000", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "myhack58": [{"lastseen": "2018-06-13T14:53:07", "description": "60 Enterprise Security Threat Intelligence Center recently captured an example of the use of the Flash 0day vulnerability with Microsoft Office documents initiated by the APT attack case, the attack of the samples used for the first time using the non-Flash file built-in technologies, the Office document is not included in the Flash entity file. We confirm the vulnerability after the first time to notify the manufacturers of Adobe, to become the domestic first to the manufacturers report this attack and the associated vulnerabilities to the organizations, Adobe yesterday released security Bulletin Acknowledgements the 360 Threat Intelligence Center. \n! [](/Article/UploadPic/2018-6/20186131566465. png? www. myhack58. com) \nAdobe feedback to confirm the vulnerability existence and disclosure Acknowledgements \nThe entire exploit process is highly engineered: the attacker will Loader the first stage is used to download the Trojan Flash files, the Exploit in the second stage of the exploit code, the Payload of the third stage ShellCode are deployed on the server, only every stage of the attack/detection is successful it will continue to download the next phase of the code, thus resulting in a reduction of the entire attack process and the exploit code becomes very difficult. 360 Threat Intelligence Center through the sample to the special structure of the analysis, big data, Association, domain name analysis, found that the use of vulnerabilities related to assault weapons to suspected and Hacking Team related. \nBecause of this vulnerability and the corresponding exploit code is likely to be the Black output and the other APT groups transformation later utilized to perform large-scale attacks constitute a realistic threat, and therefore, 360 Threat Intelligence Center to remind user to take measures. \nVulnerabilities related to the summary \nVulnerability name \nAdobe Flash Player remote code execution vulnerability \nThreat type \nRemote code execution \nThreat level \nHigh \nVulnerability ID \nCVE-2018-5002 \nThe use of scenarios \nThe attacker via a Web download, e-mail, instant messaging and other channels to the victim send a malicious structure of the Office files induce its open processing, may trigger the vulnerability on the user's system to execute arbitrary commands access control. \nThe affected system and application version \nAdobe Flash Player 29.0.0.171 and earlier versions \nNot affected by the impact system and application version \nAdobe Flash Player 30.0.0.113\uff08after the repair of the latest version \nRepair and upgrade address \nhttps://get.adobe.com/flashplayer/ \nSample profile \nFrom the capture to the attack sample language attribute, CC Server related information we infer this is for the Qatar area of the APT attack. Sample in 5 months 31 may be uploaded to VirusTotal after a few days of 0 malware detected until 6 May 7, only 360 of the company's antivirus engine will recognize it as malicious code, 360 Threat Intelligence Center through the detailed analysis of the discovery which contains the 0day vulnerability is exploited. \n! [](/Article/UploadPic/2018-6/20186131566721. png? www. myhack58. com) \nAttack analysis \nBy the sample during the execution of a track record, we restore the sample to the overall implementation process is as follows: \n! [](/Article/UploadPic/2018-6/20186131566243. png? www. myhack58. com) \nContains Flash 0day malicious document the overall implementation process \nBait document \nThe attacker first, to the related personnel sent containing the Flash ActiveX object Excel decoy document to trick a victim to open: \n! [](/Article/UploadPic/2018-6/20186131566147. png? www. myhack58. com) \nFlash ActiveX control \nWhile the decoy document contains a FlashActiveX controls: \n! [](/Article/UploadPic/2018-6/20186131566771. png? www. myhack58. com) \nBut the FlashActiveX object does not contain the entities of the Flash file, you need to load the Flash file through the ActiveX object in the connection URL address of the remote loading, so that can be a very good escape the antivirus software killing: \n! [](/Article/UploadPic/2018-6/20186131566386. png? www. myhack58. com) \nThrough the Excel document to remote loading the Flash passed parameter, which contains the second stage of the Flash the download address and the sample and the CC server's address: \n! [](/Article/UploadPic/2018-6/20186131566119. png? www. myhack58. com) \nThe first stage Flash \nBy FlashActiveX object in the connection URL address to download the back stage of the Flash file, the Flash file's main function is to continue and the remote Communication Server and download it back using the AES encryption after the second stage of the Flash file: \n! [](/Article/UploadPic/2018-6/20186131567763. png? www. myhack58. com) \nGet the first stage of the Flash file \nThe second stage Flash 0day \nSince the first stage of the Flash will fall, so in order to avoid exploits of the Flash code to be killed or captured, the attacker through the first stage of the Flash Loader to continue the download from the server encryption of the attack module and memory load. \nFrom the server return data[KEY+AES-encrypted data]in the form, the first stage of the Flash file will return the data to decrypt the second stage of the Flash file: \n! [](/Article/UploadPic/2018-6/20186131567126. png? www. myhack58. com) \nGet the AES encryption after the second stage of the Flash \nDecrypt using AES CBC-mode encryption of the second stage of the Flash file: \n! [](/Article/UploadPic/2018-6/20186131567518. png? www. myhack58. com) \nThen the memory load of the second stage of the Flash file, the second stage of the Flash file contains Flash0day exploit code: \n! [](/Article/UploadPic/2018-6/20186131567457. png? www. myhack58. com)\n\n**[1] [[2]](<90436_2.htm>) [[3]](<90436_3.htm>) [next](<90436_2.htm>)**\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-13T00:00:00", "title": "Hacking Team to make a comeback it? CVE-2018-5002 Flash 0day vulnerability APT attack analysis and Association-bug warning-the black bar safety net", "type": "myhack58", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5002"], "modified": "2018-06-13T00:00:00", "id": "MYHACK58:62201890436", "href": "http://www.myhack58.com/Article/html/3/62/2018/90436.htm", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-06-21T11:13:41", "description": "! [](/Article/UploadPic/2018-6/2018621151215316. jpg? www. myhack58. com) \nRecently, ICEBRG security research team (SRT) identified Adobe Flash 0 day Vulnerability CVE-2018-5002-directional network attack behavior, the 0-day vulnerability is an attacker for the Middle East region, important individuals and organizations of network penetration. An attacker use the vulnerability to construct a malicious Flash object, you can target the victims on the computer implementation of the code, to achieve the subsequent permeation of a series of Payload and malicious code running. \nThis article will such an attack the details of the disclosure, including technical analysis, for the Qatar of targeted attacks, as well as some defensive measures suggestions. We hope that the publication of these findings, contribute to industry and individuals wary of the vulnerability of similar cyber attacks in a timely manner to the security guard. For the vulnerability, we have to 2018 6 January 1, 4:14 AM PDT to Adobe for the first packet, in the fastest time, Adobe and our ICEBRG security team coordinated to resolve and reproduce the entire vulnerability, after the 2018 year 6 on 7 January Adobe released the vulnerability patch. \nAttack review \nWe found that, this time CVE-2018-5002 vulnerability attacks, which target the victims on the computer implementation of the use of the code is by Microsoft Office to achieve the download is performed, the entire exploit process is shown in the following figure, first, when the targeted victim clicks the attacker to embed a malicious object in a Microsoft Office document after download execute a remote Shockwave Flash (SWF)file. Unlike most Flash use code powered by Microsoft Office embedded mode of transmission, here a Microsoft Office document using a few well-known functions that come from the attacker to the schema of the server-side to load all the SWF content. \nThe first stage of the SWF propagation process involves a RSA+AES encryption system, it can protect the subsequent as the actual exploit using code SWF download implementation and distribution. Such as RSA asymmetric encryption applications can circumvent some of the traditional, reproduction-type security device, and to prevent ex-post network data packet capture and analysis; the second stage of the SWF distribution, when the target victim system to perform a Microsoft Office document is clicked the trigger, it will use the previous encryption mode to go from attacker to server remote download perform contains Backdoor functionality and the subsequent use of the tool shellcode code, and ultimately to the target computer system intrusion control. Typically, the final attack Payload contains a series of threatening the core of the shellcode code, we have tried to go to recovery to extract the final Payload, but for other reasons, and finally did not succeed. \n! [](/Article/UploadPic/2018-6/2018621151216649. png? www. myhack58. com) \nRemote FLASH contains \nSince many browsers disable the Flash function, so the attack is from the Microsoft Office internal load Adobe Flash Player and play, this is a very popular method. But on the other side, the attack also have different. Generally speaking, the attacker will be in the document to embed the entire as exploit the use of the Code of the Flash file, or initiate a selective exploit or payload of the download operation, such as APT28/Sofacy DealersChoice, etc., for the security and Defense left by The may be labeled or is backtracking to identify the Flash loader file. \nWith these typical attacks use different, this attack is not directly embedded in Flash, but using a less known feature to the remote contains Flash content, as shown below, the final combined effect is, you'll see Select the Flash Player ActiveX control XML wrapper and a reference to the OLE object: \n! [](/Article/UploadPic/2018-6/2018621151216229. png? www. myhack58. com) \nOn the figure of the Flash object, containing a\u201cMovie\u201dproperty, and in the\u201cMovie\u201dattribute in the define a remote Flach address of the object, this is purely an initial object contains application examples. This remote loading of an embedded Flash object have a plurality of significant advantages: \n[Free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)and to circumvent the resistance: first, from the Microsoft Office document itself, does not contain any malicious code. Static detection, the best check way is to analyze the remote contains Flash content. Dynamic detection, the need for the defense of the sandbox/simulator must be with the attacker's server malicious content of the received interaction, which requires the analysis of the system with the Internet real-time connection. Moreover, the attacker may be based on requesting IP address or the HTTP header, to selectively service to the next stage of penetration. Once on the target system to establish the access path, the attacker could disable their C2 server, then the attack analysis can only rely on some legacy acts evidence. \nTarget targeted: since the attacker can selectively to victims system provides vulnerability attacks exploit code, they can will attack the restrictions in the targeted victims of the system. For example, the attacker can through the regional ISP of the target company or personal network included in the white list, the cloud infrastructure and the security of the company included in the blacklist, thereby restricting to specific IP addresses access. HTTP header\u201cAccept-Language\u201d and \u201cUser-Agent\u201d, also can be used for the known victims of the venue system environment included in the white list, or the abnormal or incorrect response to security products included in the blacklist. HTTP header sort, contains, or is missing usually also possible to distinguish between security products, the real victim and the orientation of the target. Finally, the\u201cx-flash-version\u201d can be used to contain victims of the system version of Flash Player, the attacker in the service end according to the version of choose the most effective exploit code to conduct attacks. \nEven if the attacker this static way of existing occupied space is small, but in the Microsoft Office document loading process, the remote Flash objects in Microsoft Office documents to extract the execution. \nThe encryption mechanism \nThe attack is successful, from the server to the client of the data communication by the following figure using the AES symmetric algorithm is a custom encryption mechanism to confuse, such AES and RSA utilized in combination, so that the Payload data and the symmetric key can obtain the encryption protection. And its a custom encryption mechanism is the use of a common ActionScript script library to perform some low level operation. \n! [](/Article/UploadPic/2018-6/2018621151216302. png? www. myhack58. com) \nThe client first sends a service terminal initiates a data communication request, in this process, the client through the HTTP POST method, the server sends a randomly generated RSA modulus n and public exponent e=0\u00d710001, i.e., the public key n, e, after services end for the encrypted format data response: \n0\u00d70: the Encrypted AES key length (L) \n\n\n**[1] [[2]](<90504_2.htm>) [[3]](<90504_3.htm>) [next](<90504_2.htm>)**\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-21T00:00:00", "title": "FLASH zero-day Vulnerability CVE-2018-5002 in the Middle East directed network attacks exploit-vulnerability warning-the black bar safety net", "type": "myhack58", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5002"], "modified": "2018-06-21T00:00:00", "id": "MYHACK58:62201890504", "href": "http://www.myhack58.com/Article/html/3/62/2018/90504.htm", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-06-13T15:28:22", "description": "This article is for me at Bluehat Shanghai 2019 presentation of an extended summary. In this article, I will summarize the 2010 to 2018 years of Office-related 0day/1day vulnerability. I will be for each type of vulnerability do once carded, and for each vulnerability related to the analysis of the articles referenced and categorized. \nHope this article can help to follow-up engaged in office vulnerability research. \n\nOverview \nFrom 2010 to 2018, the office of the 0day/1day attack has never been suspended before. Some of the following CVE number, is my in the course of the study specifically observed, there have been actual attacks sample 0day/1day vulnerability(perhaps there are some omissions, the reader can Supplement the). \nWe first look at the specific CVE number. \nYear \nNumber \n2010 \nCVE-2010-3333 \n2011 \nCVE-2011-0609/CVE-2011-0611 \n2012 \nCVE-2012-0158/CVE-2012-0779/CVE-2012-1535/CVE-2012-1856 \n2013 \nCVE-2013-0634/CVE-2013-3906 \n2014 \nCVE-2014-1761/CVE-2014-4114/CVE-2014-6352 \n2015 \nCVE-2015-0097/CVE-2015-1641/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645 \n2016 \nCVE-2016-4117/CVE-2016-7193/CVE-2016-7855 \n2017 \nCVE-2017-0199/CVE-2017-0261/CVE-2017-0262/CVE-2017-8570/CVE-2017-8759/CVE-2017-11826/CVE-2017-11882/CVE-2017-11292 \n2018 \nCVE-2018-0798/CVE-2018-0802/CVE-2018-4878/CVE-2018-5002/CVE-2018-8174/CVE-2018-8373/CVE-2018-15982 \nOur first press Assembly of the type above-described vulnerability classification. Note that, the Flash itself also belongs to the ActiveX control-a, the following table of classification I be independently classified as a class. \nComponent type \nNumber \nRTF control word parsing problem \nCVE-2010-3333/CVE-2014-1761/CVE-2016-7193 \nThe Open XML tag parsing problem \nCVE-2015-1641/CVE-2017-11826 \nActiveX control to resolve the problem \nCVE-2012-0158/CVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nOffice embedded Flash vulnerabilities \nCVE-2011-0609/CVE-2011-0611/CVE-2012-0779/CVE-2012-1535/CVE-2013-0634/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645/CVE-2016-4117/CVE-2016-7855/CVE-2017-11292/CVE-2018-4878/CVE-2018-5002/CVE-2018-15982 \nOffice TIFF image parsing vulnerability \nCVE-2013-3906 \nOffice EPS file parsing vulnerability \nCVE-2015-2545/CVE-2017-0261/CVE-2017-0262 \nBy means of the Moniker the loading vulnerability \nCVE-2017-0199/CVE-2017-8570/CVE-2017-8759/CVE-2018-8174/CVE-2018-8373 \nOther Office logic vulnerability \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097 \nWe then based on the vulnerability type of the above-mentioned non-Flash vulnerabilities classification. Flash vulnerabilities related to the summary you can refer to other researcher's articles \nVulnerability type \nNumber \nStack Overflow(Stack Overflow) \nCVE-2010-3333/CVE-2012-0158/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nStack bounds write(Out-of-bound Write) \nCVE-2014-1761/CVE-2016-7193 \nType confusion(Type Confusion) \nCVE-2015-1641/CVE-2017-11826/CVE-2017-0262 \nAfter the release of reuse(Use After Free) \nCVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2017-0261/CVE-2018-8174/CVE-2018-8373 \nInteger overflow(Integer Overflow) \nCVE-2013-3906 \nLogic vulnerabilities(Logical vulnerability) \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097/CVE-2017-0199/CVE-2017-8570/CVE-2017-8759 \nNext We according to the above second table Flash vulnerability, except to one by one look at these vulnerabilities. \n\nRTF control word parsing problem \nCVE-2010-3333 \nThe vulnerability is the Cohen laboratory head of the wushi found. This is a stack overflow vulnerability. \nOn the vulnerability analysis of the article to see snow on a lot, the following are a few articles. \nCVE-2010-3333 vulnerability analysis(in depth analysis) \nMS10-087 from vulnerability to patch to the POC \nThe vulnerability of the war of Chapter 2, Section 4 of this vulnerability also have to compare the system description, the interested reader can read The Associated chapters. \nCVE-2014-1761 \nThe vulnerability is Google found a 0day in. This is a heap memory bounds write vulnerability. \nLi Hai fly was on the vulnerability done a very wonderful analysis. \nA Close Look at RTF Zero-Day Attack CVE-2014-1761 Shows Sophistication of Attackers \nSee snow forum is also related to the vulnerability of the two high-quality analysis articles. \nCVE-2014-1761 analysis notes \nms14-017(cve-2014-1761)learn the notes inside there is mentioned how to configure the correct environment \nThe security agent is also related to the vulnerability of a high-quality analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08the third period\uff09 \nIn addition, South Korea's AhnLab also made a post about this vulnerability report. \nAnalysis of Zero-Day Exploit_Issue 01 Microsoft Word RTF Vulnerability CVE-2014-1761 \nDebugging this vulnerability requires attention is the vulnerability of some of the samples to trigger the environment is relatively harsh, the article inside mentions how to construct a relevant experimental environment. \nCVE-2016-7193 \nThe vulnerability is the Austrian Military Cyber Emergency Readiness Team Austria military Cyber Emergency Readiness Team reported to Microsoft a 0day is. \nIt is also a heap memory bounds write vulnerability. \nBaidu Security Labs has worked on the vulnerability done a more complete analysis. \nAPT attack weapon-the Word vulnerability, CVE-2016-7193 principles of the secret \nI also worked on the vulnerability of the use of writing to share through an article analysis. \nCombined with a field sample to construct a cve-2016-7193 bomb calculator use \n\nThe Open XML tag parsing problem \nCVE-2015-1641 \nGoogle 0day summary table will be listed for 2015 0day one. \nThis is a type confusion vulnerability. \nAbout the vulnerability, the fly tower has written an article analysis article. \nThe Curious Case Of The Document Exploiting An Unknown Vulnerability \u2013 Part 1 \nAli safe is also about the vulnerability wrote a wonderful analysis. \nword type confusion vulnerability CVE-2015-1641 analysis \nThe security agent also has the vulnerability of a wonderful analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08fourth period\uff09 \nKnow Chong Yu the 404 lab also wrote an article on the vulnerability the wonderful analysis. \nCVE-2015-1641 Word using the sample analysis \nI've also written relates to the vulnerability of the principles of an article to share. \nThe Open XML tag parsing class vulnerability analysis ideas \nIn debugging this relates to the heap spray in the office sample, the need to pay special attention to the debugger intervention tends to affect the process heap layout, particularly some of the heap option settings. If when debugging the sample behavior can not be a normal trigger, often directly with the debugger launch the sample result, this time you can try double-click the sample after Hang, the debug controller. \n\n\n**[1] [[2]](<94516_2.htm>) [[3]](<94516_3.htm>) [[4]](<94516_4.htm>) [next](<94516_2.htm>)**\n", "edition": 2, "cvss3": {}, "published": "2019-06-13T00:00:00", "title": "The macro perspective of the office vulnerability, 2010-2018-a vulnerability warning-the black bar safety net", "type": "myhack58", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2545", "CVE-2012-1856", "CVE-2012-1535", "CVE-2017-11292", "CVE-2018-8174", "CVE-2018-4878", "CVE-2011-0609", "CVE-2017-11882", "CVE-2018-0802", "CVE-2016-7855", "CVE-2017-8570", "CVE-2016-4117", "CVE-2012-0158", "CVE-2015-1642", "CVE-2010-3333", "CVE-2013-0634", "CVE-2015-5119", "CVE-2013-3906", "CVE-2014-4114", "CVE-2016-7193", "CVE-2018-15982", "CVE-2015-2424", "CVE-2018-8373", "CVE-2011-0611", "CVE-2015-5122", "CVE-2017-0199", "CVE-2015-0097", "CVE-2018-5002", "CVE-2018-0798", "CVE-2014-1761", "CVE-2014-6352", "CVE-2017-8759", "CVE-2015-1641", "CVE-2015-7645", "CVE-2017-11826", "CVE-2017-0262", "CVE-2012-0779", "CVE-2017-0261"], "modified": "2019-06-13T00:00:00", "id": "MYHACK58:62201994516", "href": "http://www.myhack58.com/Article/html/3/62/2019/94516.htm", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Adobe Flash Player have a stack-based buffer overflow vulnerability that could lead to remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-23T00:00:00", "type": "cisa_kev", "title": "Adobe Flash Player Stack-based Buffer Overflow Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5002"], "modified": "2022-05-23T00:00:00", "id": "CISA-KEV-CVE-2018-5002", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2022-12-07T20:08:26", "description": "Adobe Flash Player versions 29.0.0.171 and earlier have a Stack-based buffer overflow vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-07-09T00:00:00", "type": "attackerkb", "title": "CVE-2018-5002", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5002"], "modified": "2020-07-24T00:00:00", "id": "AKB:562EA3B5-6C06-49C6-AE75-917762A9F3B9", "href": "https://attackerkb.com/topics/asAlA7Rc18/cve-2018-5002", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "krebs": [{"lastseen": "2018-06-08T16:23:18", "description": "**Adobe** has released an emergency update to address a critical security hole in its **Flash Player** browser plugin that is being actively exploited to deploy malicious software. If you've got Flash installed -- and if you're using **Google Chrome** or a recent version of **Microsoft Windows** you do -- it's time once again to make sure your copy of Flash is either patched, hobbled or removed.\n\nIn [an advisory](<https://helpx.adobe.com/security/products/flash-player/apsb18-19.html>) published today, Adobe said it is aware of a report that an exploit for the previously unknown Flash flaw -- **CVE-2018-5002** -- exists in the wild, and \"is being used in limited, targeted attacks against Windows users. These attacks leverage **Microsoft Office** documents with embedded malicious Flash Player content distributed via email.\"\n\nThe vulnerable versions of Flash include _v. 29.0.0.171_ and earlier. The version of Flash released today brings the program to _v. 30.0.0.113_ for Windows, **Mac**, **Linux** and **Chrome OS**. Check out [this link](<https://helpx.adobe.com/flash-player.html>) to detect the presence of Flash in your browser and the version number installed.\n\nBoth **Internet Explorer**/**Edge** on **Windows 10** and Chrome should automatically prompt users to update Flash when newer versions are available. At the moment, however, I can't see any signs yet that either Microsoft or Google has pushed out new updates to address the Flash flaw. I'll update this post if that changes. (**Update: June 8, 11:01 a.m. ET:** Looks like the browser makers are starting to push this out. You may still need to restart your browser for the update to take effect.)\n\nAdobe credits Chinese security firm **Qihoo 360** with reporting the zero-day Flash flaw. Qihoo said in [a blog post](<http://blogs.360.cn/blog/cve-2018-5002-en/>) that the exploit was seen being used to target individuals and companies in Doha, Qatar, and is believed to be related to a nation-state backed cyber-espionage campaign that uses booby-trapped Office documents to deploy malware.\n\nIn February 2018, Adobe [patched another zero-day Flash flaw](<https://krebsonsecurity.com/2018/02/attackers-exploiting-unpatched-flaw-in-flash/>) that was [tied to cyber espionage attacks launched by North Korean hackers](<https://www.fireeye.com/blog/threat-research/2018/02/attacks-leveraging-adobe-zero-day.html>).\n\nHopefully, most readers here have taken my longstanding advice to disable or at least hobble Flash, a buggy and insecure component that nonetheless ships by default with **Google Chrome** and **Internet Explorer**. More on that approach (as well as slightly less radical solutions) can be found in [A Month Without Adobe Flash Player](<http://krebsonsecurity.com/2015/06/a-month-without-adobe-flash-player/>). The short version is that you can probably get by without Flash installed and not miss it at all.\n\nFor readers still unwilling to cut the Flash cord, there are half-measures that work almost as well. Fortunately, [disabling Flash in Chrome](<https://support.google.com/chrome/answer/108086?hl=en>) is simple enough. Paste \u201c<chrome://settings/content>\u201d into a Chrome browser bar and then select \u201cFlash\u201d from the list of items. By default it should be set to \u201cAsk first\u201d before running Flash, although users also can disable Flash entirely here or whitelist/blacklist specific sites.\n\nBy default, **Mozilla Firefox** on Windows computers with Flash installed runs Flash in a \u201c[protected mode](<http://blogs.adobe.com/security/2012/06/inside-flash-player-protected-mode-for-firefox.html>),\u201d which prompts the user to decide if they want to enable the plugin before Flash content runs on a Web site.\n\nAnother, perhaps less elegant, alternative to wholesale kicking Flash to the curb is to keeping it installed in a browser that you don\u2019t normally use, and then only using that browser on sites that require Flash.\n\nAdministrators have the ability to change Flash Player\u2019s behavior when running on Internet Explorer on **Windows 7** and below by prompting the user before playing Flash content. A guide on how to do that is [here](<https://www.adobe.com/content/dam/acom/en/devnet/flashplayer/articles/flash_player_admin_guide/pdf/flash_player_27_0_admin_guide.pdf>) (PDF). Administrators may also consider implementing [Protected View for Office](<https://support.office.com/en-us/article/what-is-protected-view-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653#bm5>). Protected View opens a file marked as potentially unsafe in Read-only mode.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-07T16:37:50", "type": "krebs", "title": "Adobe Patches Zero-Day Flash Flaw", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5002"], "modified": "2018-06-07T16:37:50", "id": "KREBS:377DC4DFDAF49AA3F03846964CC1864A", "href": "https://krebsonsecurity.com/2018/06/adobe-patches-zero-day-flash-flaw/", "cvss": {"score": 0.0, "vector": "NONE"}}], "malwarebytes": [{"lastseen": "2018-06-13T00:01:17", "description": "Since our last [report](<https://blog.malwarebytes.com/threat-analysis/2018/03/exploit-kits-winter-2018-review/>) on exploit kits, there have been some new developments with the wider adoption of the [February Flash zero-day](<https://blog.malwarebytes.com/cybercrime/2018/02/new-flash-player-zero-day-comes-inside-office-document/>), as well as the inclusion of a new exploit for [Internet Explorer](<https://blog.malwarebytes.com/threat-analysis/2018/05/internet-explorer-zero-day-browser-attack/>). We have not seen that many changes in the drive-by landscape for a long time, although these are the results of improvements closely tied to malspam campaigns and exploits embedded within Microsoft Office.\n\nSince both Flash and the VBScript engine are pieces of software that can be leveraged for web-based attacks, it was only natural to see their integration into exploit kits. While Internet Explorer is not getting any younger, [CVE-2018-8174](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8174>) brings an update to an otherwise 2-year-old vulnerability ([CVE-2016-0189](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0189>)), which is still used in some drive-by campaigns. As far as Flash is concerned, [CVE-2018-4878](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4878>) has been adopted by almost all exploits kits. At the time of this writing, a newer Flash vulnerability ([CVE-2018-5002](<https://helpx.adobe.com/security/products/flash-player/apsb18-19.html>)) is available but has not been spotted in any EK so far.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/06/CVEs_.png> \"\" )\n\n### RIG\n\nRIG exploit kit remains the most commonly observed EK in the wild, with several different campaigns in action. RIG was the [first to include the new VBScript engine exploit](<https://twitter.com/kafeine/status/999909946496962560>) (CVE-2018-8174) in IE only days after a [Proof of Concept](<https://github.com/smgorelik/Windows-RCE-exploits/tree/master/Web/VBScript>) became publicly available, on top of [adding CVE-2018-4878](<https://twitter.com/kafeine/status/983430384263327744>). RIG has pushed various payloads such as [Bunitu](<https://traffic.moe/2018/04/19/index.html>), [Ursnif](<https://traffic.moe/2018/05/16/index.html>), and the popular [SmokeLoader](<https://traffic.moe/2018/04/25/index.html>).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/06/RIG_EK.png> \"\" )\n\n### GrandSoft\n\nGrandSoft is an IE-only exploit kit which is observed in a smaller range of distribution campaigns, mostly via malvertising on adult sites. In comparison to its counterparts, GrandSoft is still relying on the older Internet Explorer exploit (CVE-2016-0189) and lacks the obfuscation we normally see in landing pages. Some payloads pushed by GrandSoft include the [AZORult stealer](<https://traffic.moe/2018/04/11/index.html>).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/06/GrandSoft_EK.png> \"\" )\n\n### Magnitude\n\nThe South Korea\u2013focused exploit kit is back to using its trusted EK Magniber after having a [short stint with GandCrab ransomware](<https://blog.malwarebytes.com/threat-analysis/2018/04/magnitude-exploit-kit-switches-gandcrab-ransomware/>). Magnitude [added Flash](<https://twitter.com/kafeine/status/980505556715786242>) (CVE-2018-4878) and [went on to integrate IE's CVE-2018-8174](<https://twitter.com/kafeine/status/1002881951060160512>) after a hiatus of about a week with no activity. With its own Magnigate filtering, Base64-encoded landing page and fileless payload, Magnitude is one of the more sophisticated exploit kits on the market.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/06/Magnitude_EK.png> \"\" )\n\n### GreenFlash Sundown\n\nThe elusive GreenFlash Sundown continues to strike via compromised OpenX ad servers. Although it is usually seen distributing the Hermes ransomware, 360 Total Security observed a [cryptocurrency miner via several Chinese websites](<https://blog.360totalsecurity.com/en/incoming-multiple-popular-websites-attacked-cryptocurrency-mining-via-greenflash-sundown-exploit-kit/>) running a vulnerable OpenX version. The ad banner used by GF Sundown in this attack, as well as some we documented before, is a Korean language picture that [hides CVE-2018-4878](<https://twitter.com/kafeine/status/972427859909316608>) using [steganography](<https://en.wikipedia.org/wiki/Steganography>).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/06/GreenFlash_Sundown_EK.png> \"\" )\n\n### A busy 2018\n\nThere is no doubt that the recent influx of zero-days has given exploit kits a much-needed boost. We did notice an increase in RIG EK campaigns, which probably resulted in higher than usual successful loads for its operators. While attackers are concentrating on Microsoft Office\u2013related exploits, we are observing a cascading effect into exploit kits.\n\nSo far, 2018 has been busier than usual with the discoveries of several directly applicable zero-days, and we can expect to see more in the coming months. For instance, we have already witnessed back-to-back Flash zero-days where attackers are capitalizing on ActionScript vulnerabilities.\n\n### Mitigation\n\nWe tested these exploit kits against [Malwarebytes](<https://www.malwarebytes.com/pricing/>), and they were all blocked thanks to our signature-less anti-exploit engine:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/06/EKs_Spring_2018.gif> \"\" )\n\n_Hashes for samples referenced in this post:_\n\n**RIG**\n \n \n 8CA1DEDCED7332AEDC94291F8DAA82E0837A1EFC612B581DD13165B29F2A6DBB \n 21358ACDEB60C456BC36B8E3481BF66CC5F4167D5994F097F71798341B9119FB \n 560031AC4C947B1E168704CA5E323BF00A801E2320E1F0FFFE08392179D38391 \n AC1FF2B2A18931C17A5D9D0305CE72CC69C1688DFC2BDF4BF74AA9E27123BFFD\n\n**GrandSoft**\n \n \n E659DD280514DD81BF8923315BD503E8781EB8CE7684F4888A838CF2A8B2ADF0\n\n**Magnitude** (dumped from memory with [PE-Sieve](<https://github.com/hasherezade/pe-sieve>))\n \n \n 9491E8B30D37CB3BD0D206021EBE7396CA17BE3C8FBED2AC6DCE89D3CE0CAA27\n\n**GreenFlash** (dumped from memory with [PE-Sieve](<https://github.com/hasherezade/pe-sieve>))\n \n \n e600dec30c0f5080eab3d15f1210334429c3db0dd6a90f1e755709783ace6e85\n\nThe post [Exploit kits: Spring 2018 review](<https://blog.malwarebytes.com/cybercrime/2018/06/exploit-kits-spring-2018-review/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-12T19:04:14", "type": "malwarebytes", "title": "Exploit kits: Spring 2018 review", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0189", "CVE-2018-4878", "CVE-2018-5002", "CVE-2018-8174"], "modified": "2018-06-12T19:04:14", "id": "MALWAREBYTES:29082210E17AE80B08D8FF58AED79F23", "href": "https://blog.malwarebytes.com/cybercrime/2018/06/exploit-kits-spring-2018-review/", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securelist": [{"lastseen": "2018-08-24T11:03:46", "description": "\n\n## Q2 figures\n\nAccording to KSN:\n\n * Kaspersky Lab solutions blocked 962,947,023 attacks launched from online resources located in 187 countries across the globe.\n * 351,913,075 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 215,762 users.\n * Ransomware attacks were registered on the computers of 158,921 unique users.\n * Our File Anti-Virus logged 192,053,604 unique malicious and potentially unwanted objects.\n * Kaspersky Lab products for mobile devices detected: \n * 1,744,244 malicious installation packages\n * 61,045 installation packages for mobile banking Trojans\n * 14,119 installation packages for mobile ransomware Trojans.\n\n## Mobile threats\n\n### General statistics\n\nIn Q2 2018, Kaspersky Lab detected 1,744,244 malicious installation packages, which is 421,666 packages more than in the previous quarter.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175855/180803-it-threat-evolution-q2-2018-statistics-1.png>)\n\n_Number of detected malicious installation packages, Q2 2017 \u2013 Q2 2018_\n\n#### **Distribution of detected mobile apps by type**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175922/180803-it-threat-evolution-q2-2018-statistics-2-0.png>)\n\n_Distribution of newly detected mobile apps by type, Q1 2018_\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175916/180803-it-threat-evolution-q2-2018-statistics-2.png>)\n\n_Distribution of newly detected mobile apps by type, Q2 2018_\n\nAmong all the threats detected in Q2 2018, the lion's share belonged to potentially unwanted RiskTool apps (55.3%); compared to the previous quarter, their share rose by 6 p.p. Members of the RiskTool.AndroidOS.SMSreg family contributed most to this indicator.\n\nSecond place was taken by Trojan-Dropper threats (13%), whose share fell by 7 p.p. Most detected files of this type came from the families Trojan-Dropper.AndroidOS.Piom and Trojan-Dropper.AndroidOS.Hqwar.\n\nThe share of advertising apps continued to decreased by 8%, accounting for 9% (against 11%) of all detected threats.\n\nA remarkable development during the reporting period was that SMS Trojans doubled their share up to 8.5% in Q2 from 4.5% in Q1.\n\n#### **TOP 20 mobile malware**\n\n_Note that this malware rating does not include potentially dangerous or unwanted programs such as RiskTool or Adware._\n\n | Verdict | %* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 70.04 \n2 | Trojan.AndroidOS.Boogr.gsh | 12.17 \n3 | Trojan-Dropper.AndroidOS.Lezok.p | 4.41 \n4 | Trojan.AndroidOS.Agent.rx | 4.11 \n5 | Trojan.AndroidOS.Piom.toe | 3.44 \n6 | Trojan.AndroidOS.Triada.dl | 3.15 \n7 | Trojan.AndroidOS.Piom.tmi | 2.71 \n8 | Trojan.AndroidOS.Piom.sme | 2.69 \n9 | Trojan-Dropper.AndroidOS.Hqwar.i | 2.54 \n10 | Trojan-Downloader.AndroidOS.Agent.ga | 2.42 \n11 | Trojan-Dropper.AndroidOS.Agent.ii | 2.25 \n12 | Trojan-Dropper.AndroidOS.Hqwar.ba | 1.80 \n13 | Trojan.AndroidOS.Agent.pac | 1.73 \n14 | Trojan.AndroidOS.Dvmap.a | 1.64 \n15 | Trojan-Dropper.AndroidOS.Lezok.b | 1.55 \n16 | Trojan-Dropper.AndroidOS.Tiny.d | 1.37 \n17 | Trojan.AndroidOS.Agent.rt | 1.29 \n18 | Trojan.AndroidOS.Hiddapp.bn | 1.26 \n19 | Trojan.AndroidOS.Piom.rfw | 1.20 \n20 | Trojan-Dropper.AndroidOS.Lezok.t | 1.19 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked._\n\nAs before, first place in our TOP 20 went to DangerousObject.Multi.Generic (70.04%), the verdict we use for malware detected [using cloud technologies](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). In second place was Trojan.AndroidOS.Boogr.gsh (12.17%). This verdict is given to files recognized as malicious by our system based on [machine learning](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>). Third was Dropper.AndroidOS.Lezok.p (4.41%), followed by a close 0.3 p.p. margin by Trojan.AndroidOS.Agent.rx (4.11%), which was in the third position in Q1.\n\n### **Geography of mobile threats**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175855/180803-it-threat-evolution-q2-2018-statistics-3.png>)\n\n_Map of attempted infections using mobile malware, Q2 2018 _\n\nTOP 10 countries by share of users attacked by mobile malware:\n\n | Country* | %** \n---|---|--- \n1 | Bangladesh | 31.17 \n2 | China | 31.07 \n3 | Iran | 30.87 \n4 | Nepal | 30.74 \n5 | Nigeria | 25.66 \n6 | India | 25.04 \n7 | Indonesia | 24.05 \n8 | Ivory Coast | 23.67 \n9 | Pakistan | 23.49 \n10 | Tanzania | 22.38 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000). \n** Unique users attacked in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nIn Q2 2018, Bangladesh (31.17%) topped the list by share of mobile users attacked. China (31.07%) came second with a narrow margin. Third and fourth places were claimed respectively by Iran (30.87%) and Nepal (30.74%).\n\nRussia (8.34%) this quarter was down in 38th spot, behind Taiwan (8.48%) and Singapore (8.46%).\n\n### Mobile banking Trojans\n\nIn the reporting period, we detected 61,045 installation packages for mobile banking Trojans, which is 3.2 times more than in Q1 2018. The largest contribution was made by Trojan-Banker.AndroidOS.Hqwar.jck \u2013 this verdict was given to nearly half of detected new banking Trojans. Second came Trojan-Banker.AndroidOS.Agent.dq, accounting for about 5,000 installation packages.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175900/180803-it-threat-evolution-q2-2018-statistics-4.png>)\n\n_Number of installation packages for mobile banking Trojans detected by Kaspersky Lab, Q2 2017 \u2013 Q2 2018_\n\n**TOP 10 mobile bankers**\n\n | **Verdict** | **%*** \n---|---|--- \n1 | Trojan-Banker.AndroidOS.Agent.dq | 17.74 \n2 | Trojan-Banker.AndroidOS.Svpeng.aj | 13.22 \n3 | Trojan-Banker.AndroidOS.Svpeng.q | 8.56 \n4 | Trojan-Banker.AndroidOS.Asacub.e | 5.70 \n5 | Trojan-Banker.AndroidOS.Agent.di | 5.06 \n6 | Trojan-Banker.AndroidOS.Asacub.bo | 4.65 \n7 | Trojan-Banker.AndroidOS.Faketoken.z | 3.66 \n8 | Trojan-Banker.AndroidOS.Asacub.bj | 3.03 \n9 | Trojan-Banker.AndroidOS.Hqwar.t | 2.83 \n10 | Trojan-Banker.AndroidOS.Asacub.ar | 2.77 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked by banking threats._\n\nThe most popular mobile banking Trojan in Q2 was Trojan-Banker.AndroidOS.Agent.dq (17.74%), closely followed by Trojan-Banker.AndroidOS.Svpeng.aj (13.22%). These two Trojans use phishing windows to steal information about user's banking cards and online banking credentials. Besides, they steal money through abuse of SMS services, including mobile banking. The popular banking malware Trojan-Banker.AndroidOS.Svpeng.q (8.56%) took third place in the rating, moving one notch down from its second place in Q2.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175850/180803-it-threat-evolution-q2-2018-statistics-5.png>)\n\n_Geography of mobile banking threats, Q2 2018_\n\n**TOP 10 countries by share of users attacked by mobile banking Trojans**\n\n | **Country*** | **%**** \n---|---|--- \n1 | USA | 0.79 \n2 | Russia | 0.70 \n3 | Poland | 0.28 \n4 | China | 0.28 \n5 | Tajikistan | 0.27 \n6 | Uzbekistan | 0.23 \n7 | Ukraine | 0.18 \n8 | Singapore | 0.16 \n9 | Moldova | 0.14 \n10 | Kazakhstan | 0.13 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000). \n** Unique users attacked by mobile banking Trojans in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in this country._\n\nOverall, the rating did not see much change from Q1: Russia (0.70%) and USA (0.79%) swapped places, both remaining in TOP 3.\n\nPoland (0.28%) rose from ninth to third place thanks to activation propagation of two Trojans: Trojan-Banker.AndroidOS.Agent.cw and Trojan-Banker.AndroidOS.Marcher.w. The latter was first detected in November 2017 and uses a toolset typical of banking malware: SMS interception, phishing windows and Device Administrator privileges to ensure its persistence in the system.\n\n### Mobile ransomware Trojans\n\nIn Q2 2018, we detected **14,119** installation packages for mobile ransomware Trojans, which is larger by half than in Q1.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175849/180803-it-threat-evolution-q2-2018-statistics-6.png>)\n\n_Number of installation packages for mobile ransomware Trojans detected by Kaspersky Lab, Q2 2017 \u2013 Q2 2018_\n\n | Verdict | %* \n---|---|--- \n1 | Trojan-Ransom.AndroidOS.Zebt.a | 26.71 \n2 | Trojan-Ransom.AndroidOS.Svpeng.ag | 19.15 \n3 | Trojan-Ransom.AndroidOS.Fusob.h | 15.48 \n4 | Trojan-Ransom.AndroidOS.Svpeng.ae | 5.99 \n5 | Trojan-Ransom.AndroidOS.Egat.d | 4.83 \n6 | Trojan-Ransom.AndroidOS.Svpeng.snt | 4.73 \n7 | Trojan-Ransom.AndroidOS.Svpeng.ab | 4.29 \n8 | Trojan-Ransom.AndroidOS.Small.cm | 3.32 \n9 | Trojan-Ransom.AndroidOS.Small.as | 2.61 \n10 | Trojan-Ransom.AndroidOS.Small.cj | 1.80 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky Lab's mobile antivirus attacked by ransomware Trojans._\n\nThe most popular mobile ransomware is Q2 was Trojan-Ransom.AndroidOS.Zebt.a (26.71%), encountered by more than a quarter of all users who got attacked by this type of malware. Second came Trojan-Ransom.AndroidOS.Svpeng.ag (19.15%), nudging ahead of once-popular Trojan-Ransom.AndroidOS.Fusob.h (15.48%).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175857/180803-it-threat-evolution-q2-2018-statistics-7.png>)\n\n_Geography of mobile ransomware Trojans, Q2 2018_\n\n**TOP 10 countries by share of users attacked by mobile ransomware Trojans**\n\n | Country* | %** \n---|---|--- \n1 | USA | 0.49 \n2 | Italy | 0.28 \n3 | Kazakhstan | 0.26 \n4 | Belgium | 0.22 \n5 | Poland | 0.20 \n6 | Romania | 0.18 \n7 | China | 0.17 \n8 | Ireland | 0.15 \n9 | Mexico | 0.11 \n10 | Austria | 0.09 \n \n_* Excluded from the rating are countries where the number of users of Kaspersky Lab's mobile antivirus is relatively small (fewer than 10,000) \n** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nFirst place in the TOP 10 went to the United States (0.49%); the most active family in this country was Trojan-Ransom.AndroidOS.Svpeng:\n\n | Verdict | %* \n---|---|--- \n1 | Trojan-Ransom.AndroidOS.Svpeng.ag | 53.53% \n2 | Trojan-Ransom.AndroidOS.Svpeng.ae | 16.37% \n3 | Trojan-Ransom.AndroidOS.Svpeng.snt | 11.49% \n4 | Trojan-Ransom.AndroidOS.Svpeng.ab | 10.84% \n5 | Trojan-Ransom.AndroidOS.Fusob.h | 5.62% \n6 | Trojan-Ransom.AndroidOS.Svpeng.z | 4.57% \n7 | Trojan-Ransom.AndroidOS.Svpeng.san | 4.29% \n8 | Trojan-Ransom.AndroidOS.Svpeng.ac | 2.45% \n9 | Trojan-Ransom.AndroidOS.Svpeng.h | 0.43% \n10 | Trojan-Ransom.AndroidOS.Zebt.a | 0.37% \n \n_* Unique users in USA attacked by this malware as a percentage of all users of Kaspersky Lab's mobile antivirus in this country who were attacked by ransomware Trojans._\n\nItaly (0.28%) came second among countries whose residents were attacked by mobile ransomware. In this country, most attacks were the work of Trojan-Ransom.AndroidOS.Zebt.a. Third place was claimed by Kazakhstan (0.63%), where Trojan-Ransom.AndroidOS.Small.cm was the most popular mobile ransomware.\n\n## Attacks on IoT devices\n\nJudging by the data from our [honeypots](<https://encyclopedia.kaspersky.com/glossary/honeypot-glossary/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), brute forcing Telnet passwords is the most popular method of IoT malware self-propagation. However, recently there has been an increase in the number of attacks against other services, such as control ports. These ports are assigned services for remote control over routers \u2013 this feature is in demand e.g. with internet service providers. We have observed attempts to launch attacks on IoT devices via port 8291, which is used by Mikrotik RouterOS control service, and via port 7547 (TR-069), which was used, among other purposes, for managing devices in the Deutsche Telekom network.\n\nIn both cases the nature of attacks was much more sophisticated than plain brute force; in particular, they involved exploits. We are inclined to think that the number of such attacks will only grow in the future on the back of the following two factors:\n\n * Brute forcing a Telnet password is a low-efficiency strategy, as there is a strong competition between threat actors. Each few seconds, there are brute force attempts; once successful, the threat actor blocks such the access to Telnet for all other attackers.\n * After each restart of the device, the attackers have to re-infect it, thus losing part of the botnet and having to reclaim it in a competitive environment.\n\nOn the other hand, the first attacker to exploit a vulnerability will gain access to a large number of device, having spent minimum time.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175929/180803-it-threat-evolution-q2-2018-statistics-8.png>)\n\n_Distribution of attacked services' popularity by number of unique attacking devices, Q2 2018_\n\n### Telnet attacks\n\nThe scheme of attack is as follows: the attackers find a victim device, check if Telnet port is open on it, and launch the password brute forcing routine. As many manufacturers of IoT devices neglect security (for instance, they reserve service passwords on devices and do not leave a possibility for the user to change them routinely), such attacks become successful and may affect entire lines of devices. The infected devices start scanning new segments of networks and infect new, similar devices or workstations in them.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175850/180803-it-threat-evolution-q2-2018-statistics-9.png>)\n\n_Geography of IoT devices infected in Telnet attacks, Q2 2018_\n\n#### **TOP 10 countries by shares of IoT devices infected via Telnet**\n\n | Country | %* \n---|---|--- \n1 | Brazil | 23.38 \n2 | China | 17.22 \n3 | Japan | 8.64 \n4 | Russia | 7.22 \n5 | USA | 4.55 \n6 | Mexico | 3.78 \n7 | Greece | 3.51 \n8 | South Korea | 3.32 \n9 | Turkey | 2.61 \n10 | India | 1.71 \n \n_* Infected devices in each specific country as a percentage of all IoT devices that attack via Telnet._\n\nIn Q2, Brazil (23.38%) took the lead in the number of infected devices and, consequently, in the number of Telnet attacks. Next came China (17.22%) by a small margin, and third came Japan (8.64%).\n\nIn these attacks, the threat actors most often downloaded Backdoor.Linux.Mirai.c (15.97%) to the infected devices.\n\n#### **TOP 10 malware downloaded to infected IoT devices in successful Telnet attacks**\n\n | Verdict | %* \n---|---|--- \n1 | Backdoor.Linux.Mirai.c | 15.97 \n2 | Trojan-Downloader.Linux.Hajime.a | 5.89 \n3 | Trojan-Downloader.Linux.NyaDrop.b | 3.34 \n4 | Backdoor.Linux.Mirai.b | 2.72 \n5 | Backdoor.Linux.Mirai.ba | 1.94 \n6 | Trojan-Downloader.Shell.Agent.p | 0.38 \n7 | Trojan-Downloader.Shell.Agent.as | 0.27 \n8 | Backdoor.Linux.Mirai.n | 0.27 \n9 | Backdoor.Linux.Gafgyt.ba | 0.24 \n10 | Backdoor.Linux.Gafgyt.af | 0.20 \n \n_*Proportion of downloads of each specific malware program to IoT devices in successful Telnet attacks as a percentage of all malware downloads in such attacks_\n\n### SSH attacks\n\nSuch attacks are launched similarly to Telnet attacks, the only difference being that they require to bots to have an SSH client installed on them to brute force credentials. The SSH protocol is cryptographically protected, so brute forcing passwords require large computational resources. Therefore, self-propagation from IoT devices is inefficient, and full-fledged servers are used to launch attacks. The success of an SSH attack hinges on the device owner or manufacturers' faults; in other words, these are again weak passwords or preset passwords assigned by the manufacturer to an entire line of devices.\n\nChina took the lead in terms of infected devices attacking via SSH. Also, China was second in terms of infected devices attacking via Telnet.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175850/180803-it-threat-evolution-q2-2018-statistics-10.png>)\n\n_Geography of IoT devices infected in SSH attacks, Q2 2018_\n\n#### **TOP 10 countries by shares of IoT devices attacked via SSH**\n\n | Country | %* \n---|---|--- \n1 | China | 15.77% \n2 | Vietnam | 11.38% \n3 | USA | 9.78% \n4 | France | 5.45% \n5 | Russia | 4.53% \n6 | Brazil | 4.22% \n7 | Germany | 4.01% \n8 | South Korea | 3.39% \n9 | India | 2.86% \n10 | Romania | 2.23% \n \n_*The proportion of infected devices in each country as a percentage of all infected IoT devices attacking via SSH_\n\n## Online threats in the financial sector\n\n### Q2 events\n\n#### **New banking Trojan DanaBot**\n\nThe Trojan DanaBot was detected in May. It has a modular structure and is capable of loading extra modules with which to intercept traffic, steal passwords and crypto wallets \u2013 generally, a standard feature set for this type of a threat. The Trojan spread via spam messages containing a malicious office document, which subsequently loaded the Trojans' main body. DanaBot initially targeted Australian users and financial organizations, however in early April we noticed that it had become active against the financial organizations in Poland.\n\n#### **The peculiar BackSwap technique**\n\nThe banking Trojan BackSwap turned out much more interesting. A majority of similar threats including **Zeus, Cridex **and **Dyreza **intercept the user's traffic either to inject malicious scripts into the banking pages visited by the victim or to redirect it to phishing sites. By contrast, BackSwap uses an innovative technique for injecting malicious scripts: using WinAPI, it emulates keystrokes to open the developer console in the browser, and then it uses this console to inject malicious scripts into web pages. In a later version of BackSwap, malicious scripts are injected via the address bar, using JavaScript protocol URLs.\n\n#### **Carbanak gang leader detained**\n\nOn March 26, Europol announced the arrest of a leader of the cybercrime gang behind Carbanak and Cobalt Goblin. This came as a result of a joint operation between Spain's national police, Europol and FBI, as well as Romanian, Moldovan, Belorussian and Taiwanese authorities and private infosecurity companies. It was expected that the leader's arrest would reduce the group's activity, however recent data show that no appreciable decline has taken place. In May and June, we detected several waves of targeted phishing against banks and processing companies in Eastern Europe. The email writers from Carbanak masquerades as support lines of reputable anti-malware vendors, European Central Bank and other organizations. Such emails contained attached weaponized documents exploiting vulnerabilities CVE-2017-11882 and CVE-2017-8570.\n\n#### **Ransomware Trojan uses Doppelg\u00e4nging technique**\n\nKaspersky Lab experts [detected](<https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/>) a case of the ransomware Trojan SynAck using the Process Doppelg\u00e4nging technique. Malware writers use this complex technique to make it stealthier and complicate its detection by security solutions. This was the first case when it was used in a ransomware Trojan.\n\nAnother remarkable event was the Purga (aka Globe) cryptoware propagation [campaign](<https://securelist.ru/trojan-dimnie-and-ransomware-purga/90272/>), during which this cryptoware, alongside with other malware including a banking Trojan, was loaded to computers infected with the Trojan Dimnie.\n\n### General statistics on financial threats\n\n_These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data. _\n\nIn Q2 2018, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of 215,762 users.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175934/180803-it-threat-evolution-q2-2018-statistics-11.png>)\n\n \n_Number of unique users attacked by financial malware, Q2 2018_\n\n#### **Geography of attacks**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175850/180803-it-threat-evolution-q2-2018-statistics-12.png>)\n\n_Geography of banking malware attacks, Q2 2018_\n\n#### **TOP 10 countries by percentage of attacked users**\n\n| **Country*** | **% ****of users attacked**** \n---|---|--- \n1 | Germany | 2.7% \n2 | Cameroon | 1.8% \n3 | Bulgaria | 1.7% \n4 | Greece | 1.6% \n5 | United Arab Emirates | 1.4% \n6 | China | 1.3% \n7 | Indonesia | 1.3% \n8 | Libya | 1.3% \n9 | Togo | 1.3% \n10 | Lebanon | 1.2% \n \n_These statistics are based on Anti-Virus detection verdicts received from users of Kaspersky Lab products who consented to provide statistical data.\n\n*Excluded are countries with relatively few Kaspersky Lab' product users (under 10,000). \n** Unique Kaspersky Lab users whose computers were targeted by banking Trojans or ATM/PoS malware as a percentage of all unique users of Kaspersky Lab products in the country._\n\n#### **TOP 10 banking malware families**\n\n| Name | Verdicts* | % of attacked users** \n---|---|---|--- \n1 | Nymaim | Trojan.Win32. Nymaim | 27.0% | \n2 | Zbot | Trojan.Win32. Zbot | 26.1% | \n3 | SpyEye | Backdoor.Win32. SpyEye | 15.5% | \n4 | Emotet | Backdoor.Win32. Emotet | 5.3% | \n5 | Caphaw | Backdoor.Win32. Caphaw | 4.7% | \n6 | Neurevt | Trojan.Win32. Neurevt | 4.7% | \n7 | NeutrinoPOS | Trojan-Banker.Win32.NeutrinoPOS | 3.3% | \n8 | Gozi | Trojan.Win32. Gozi | 2.0% | \n9 | Shiz | Backdoor.Win32. Shiz | 1.5% | \n10 | ZAccess | Backdoor.Win32. ZAccess | 1.3% | \n \n_* Detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data. \n** Unique users attacked by this malware as a percentage of all users attacked by financial malware._\n\nIn Q2 2018, the general makeup of TOP 10 stayed the same, however there were some changes in the ranking. Trojan.Win32.Zbot (26.1%) and Trojan.Win32.Nymaim (27%) remain in the lead after swapping positions. The banking Trojan Emotet ramped up its activity and, accordingly, its share of attacked users from 2.4% to 5.3%. Conversely, Caphaw dramatically downsized its activity to only 4.7% from 15.2% in Q1, taking fifth position in the rating.\n\n### Cryptoware programs\n\n#### **Number of new modifications**\n\nIn Q2, we detected 7,620 new cryptoware modifications. This is higher than in Q1, but still well below last year's numbers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175849/180803-it-threat-evolution-q2-2018-statistics-13.png>)\n\n_Number of new cryptoware modifications, Q2 2017 \u2013 Q2 2018_\n\n#### **Number of users attacked by Trojan cryptors**\n\nIn Q2 2018, Kaspersky Lab products blocked cryptoware attacks on the computers of 158,921 unique users. Our statistics show that cybercriminals' activity declined both against Q1 and on a month-on-month basis during Q2.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175940/180803-it-threat-evolution-q2-2018-statistics-14.png>)\n\n_Number of unique users attacked by cryptors, Q2 2018_\n\n#### **Geography of attacks**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175856/180803-it-threat-evolution-q2-2018-statistics-15.png>)\n\n#### **TOP 10 countries attacked by Trojan cryptors**\n\n| **Country*** | **% of users attacked by cryptors**** \n---|---|--- \n1 | Ethiopia | 2.49 \n2 | Uzbekistan | 1.24 \n3 | Vietnam | 1.21 \n4 | Pakistan | 1.14 \n5 | Indonesia | 1.09 \n6 | China | 1.04 \n7 | Venezuela | 0.72 \n8 | Azerbaijan | 0.71 \n9 | Bangladesh | 0.70 \n10 | Mongolia | 0.64 \n \n_* Excluded are countries with relatively few Kaspersky Lab users (under 50,000). \n** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in the country._\n\nThe list of TOP 10 countries in Q2 is practically identical to that in Q1. However, some place trading occurred in TOP 10: Ethiopia (2.49%) pushed Uzbekistan (1.24%) down from first to second place, while Pakistan (1.14%) rose to fourth place. Vietnam (1.21%) remained in third position, and Indonesia (1.09%) remained fifth.\n\n#### **TOP 10 most widespread cryptor families**\n\n| **Name** | **Verdicts*** | **% ****of attacked users**** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 53.92 | \n2 | GandCrab | Trojan-Ransom.Win32.GandCrypt | 4.92 | \n3 | PolyRansom/VirLock | Virus.Win32.PolyRansom | 3.81 | \n4 | Shade | Trojan-Ransom.Win32.Shade | 2.40 | \n5 | Crysis | Trojan-Ransom.Win32.Crusis | 2.13 | \n6 | Cerber | Trojan-Ransom.Win32.Zerber | 2.09 | \n7 | (generic verdict) | Trojan-Ransom.Win32.Gen | 2.02 | \n8 | Locky | Trojan-Ransom.Win32.Locky | 1.49 | \n9 | Purgen/GlobeImposter | Trojan-Ransom.Win32.Purgen | 1.36 | \n10 | Cryakl | Trojan-Ransom.Win32.Cryakl | 1.04 | \n| | | | | \n \n_* Statistics are based on detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data. \n** Unique Kaspersky Lab users attacked by a particular family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors._\n\nWannaCry further extends lead over other cryptor families, its share rising to 53.92% from 38.33% in Q1. Meanwhile, the cybercriminals behind GandCrab (4.92%, emerged only in Q1 2018) put so much effort into its distribution that it rose all the way up to second place in this TOP 10, displacing the polymorphic worm PolyRansom (3.81%). The remaining positions, just like in Q1, are occupied by the long-familiar cryptors Shade, Crysis, Purgen, Cryakl etc.\n\n### Cryptominers\n\nAs we already reported in [Ransomware and malicious cryptominers in 2016-2018](<https://securelist.com/ransomware-and-malicious-crypto-miners-in-2016-2018/86238/>), ransomware is shrinking progressively, and cryptocurrency miners is starting to take its place. Therefore, this year we decided to begin to publish quarterly reports on the situation around type of threats. Simultaneously, we began to use a broader range of verdicts as a basis for collecting statistics on miners, so the Q2 statistics may not be consistent with the data from our earlier publications. It includes both stealth miners which we detect as Trojans, and those which are issued the verdict 'Riskware not-a-virus'_._\n\n#### **Number of new modifications**\n\nIn Q2 2018, Kaspersky Lab solutions detected 13,948 new modifications of miners.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175945/180803-it-threat-evolution-q2-2018-statistics-16.png>)\n\n_Number of new miner modifications, Q2 2018_\n\n#### **Number of users attacked by cryptominers **\n\nIn Q2, we detected attacks involving mining programs on the computers of 2,243,581 Kaspersky Lab users around the world.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175951/180803-it-threat-evolution-q2-2018-statistics-17.png>)\n\n_Number of unique users attacked by cryptominers, Q2 2018_\n\nIn April and May, the number of attacked users stayed roughly equal, and in June there was a modest decrease in cryptominers' activity.\n\n#### **Geography of attacks**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175856/180803-it-threat-evolution-q2-2018-statistics-18.png>)\n\n_Geography of cryptominer attacks, Q2 2018_\n\n#### **TOP 10 countries by percentage of attacked users**\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Ethiopia | 17.84 \n2 | Afghanistan | 16.21 \n3 | Uzbekistan | 14.18 \n4 | Kazakhstan | 11.40 \n5 | Belarus | 10.47 \n6 | Indonesia | 10.33 \n7 | Mozambique | 9.92 \n8 | Vietnam | 9.13 \n9 | Mongolia | 9.01 \n10 | Ukraine | 8.58 \n \n_*Excluded are countries with relatively few Kaspersky Lab' product users (under 50,000). \n** Unique Kaspersky Lab users whose computers were targeted by miners as a percentage of all unique users of Kaspersky Lab products in the country._\n\n## Vulnerable apps used by cybercriminals\n\nIn Q2 2018, we again observed some major changes in the distribution of platforms most often targeted by exploits. The share of Microsoft Office exploits (67%) doubled compared to Q1 (and quadrupled compared with the average for 2017). Such a sharp growth was driven primarily by massive spam messages distributing documents containing an exploit to the vulnerability [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>). This stack overflow-type vulnerability in the old, deprecated Equation Editor component existed in all versions of Microsoft Office released over the last 18 years. The exploit still works stably in all possible combinations of the Microsoft Office package and Microsoft Windows. On the other hand, it allows the use of various obfuscations for bypassing the protection. These two factors made this vulnerability the most popular tool in cybercriminals' hands in Q2. The shares of other Microsoft Office vulnerabilities did no undergo much change since Q1.\n\nQ2 KSN statistics also showed a growing number of Adobe Flash exploits exploited via Microsoft Office. Despite Adobe and Microsoft's efforts to obstruct exploitation of Flash Player, a new 0-day exploit [CVE-2018-5002](<http://blogs.360.cn/blog/cve-2018-5002-en/>) was discovered in Q2. It propagated in an XLSX file and used a little-known technique allowing the exploit to be downloaded from a remote source rather than carried in the document body. Shockwave Flash (SWF) files, like many other file formats, are rendered in Microsoft Office documents in the OLE (Object Linking and Embedding) format. In the case of a SWF file, the OLE object contains the actual file and a list of various properties, one of which points to the path to the SWF file. The OLE object in the discovered exploit did not contain an SWF file in it, but only carried a list of properties including a web link to the SWF file, which forced Microsoft Office to download the missing file from the provided link.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175902/180803-it-threat-evolution-q2-2018-statistics-19.png>)\n\n_Distribution of exploits used in cybercriminals' attacks by types of attacked applications, Q2 2018_\n\nIn late March 2018, a PDF document was detected at VirusTotal that contained two 0-day vulnerabilities: [CVE-2018-4990](<https://helpx.adobe.com/security/products/acrobat/apsb18-09.html>) and [CVE-2018-8120](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8120>). The former allowed for execution of shellcode from JavaScript via exploitation of a software error in JPEG2000 format image processor in Acrobat Reader. The latter existed in the win32k function [SetImeInfoEx](<https://cloudblogs.microsoft.com/microsoftsecure/2018/07/02/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset/>) and was used for further privilege escalation up to SYSTEM level and enabled the PDF viewer to escape the sandbox. Ana analysis of the document and our statistics show that at the moment of uploading to VirusTotal, this exploit was at the development stage and was not used for in-the-wild attacks.\n\nIn late April, Kaspersky Lab experts using an in-house sandbox have found the 0-day vulnerability [CVE-2018-8174](<https://securelist.com/root-cause-analysis-of-cve-2018-8174/85486/>) in Internet Explorer and reported it to Microsoft. An exploit to this vulnerability used a technique associated with [CVE-2017-0199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>) (launching an HTA script from a remote source via a specially crafted OLE object) to exploit a vulnerable Internet Explorer component with the help of Microsoft Office. We are observing that exploit pack creators have already taken this vulnerability on board and actively distribute exploits to it both via web sites and emails containing malicious documents.\n\nAlso in Q2, we observed a growing number of network attacks. There is a growing share of attempts to exploit the vulnerabilities patched with the security update MS17-010; these make up a majority a of the detected network attacks.\n\n## Attacks via web resources\n\n_The statistics in this chapter are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Top 10 countries where online resources are seeded with malware\n\n_The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks. In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn the second quarter of 2018, Kaspersky Lab solutions blocked 962,947,023 attacks launched from web resources located in 187 countries around the world. 351,913,075 unique URLs were recognized as malicious by web antivirus components.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175958/180803-it-threat-evolution-q2-2018-statistics-20.png>)\n\n_Distribution of web attack sources by country, Q2 2018_\n\nIn Q2, the TOP 4 of web attack source countries remain unchanged. The US (45.87%) was home to most sources of web attacks. The Netherlands (25.74%) came second by a large margin, Germany (5.33%) was third. There was a change in the fifth position: Russia (1.98%) has displaced the UK, although its share has decreased by 0.55 p.p.\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the _Malware class_; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Belarus | 33.49 \n2 | Albania | 30.27 \n3 | Algeria | 30.08 \n4 | Armenia | 29.98 \n5 | Ukraine | 29.68 \n6 | Moldova | 29.49 \n7 | Venezuela | 29.12 \n8 | Greece | 29.11 \n9 | Kyrgyzstan | 27.25 \n10 | Kazakhstan | 26.97 \n11 | Russia | 26.93 \n12 | Uzbekistan | 26.30 \n13 | Azerbaijan | 26.12 \n14 | Serbia | 25.23 \n15 | Qatar | 24.51 \n16 | Latvia | 24.40 \n17 | Vietnam | 24.03 \n18 | Georgia | 23.87 \n19 | Philippines | 23.85 \n20 | Romania | 23.55 \n \n_These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky Lab products who consented to provide statistical data. \nExcluded are countries with relatively few Kaspersky Lab users (under 10,000). \n** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175858/180803-it-threat-evolution-q2-2018-statistics-21.png>)\n\n_Geography of malicious web attacks in Q2 2018 (percentage of attacked users)_\n\nOn average, 19.59% of Internet user computers worldwide experienced at least one Malware-class web attack.\n\n## Local threats\n\n_Local infection statistics for user computers are an important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.)._\n\n_Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media._\n\nIn Q2 2018, our File Anti-Virus detected 192,053,604 malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky Lab product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nThe rating includes only _Malware-class_ attacks. It does not include File Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Uzbekistan | 51.01 \n2 | Afghanistan | 49.57 \n3 | Tajikistan | 46.21 \n4 | Yemen | 45.52 \n5 | Ethiopia | 43.64 \n6 | Turkmenistan | 43.52 \n7 | Vietnam | 42.56 \n8 | Kyrgyzstan | 41.34 \n9 | Rwanda | 40.88 \n10 | Mongolia | 40.71 \n11 | Algeria | 40.25 \n12 | Laos | 40.18 \n13 | Syria | 39.82 \n14 | Cameroon | 38.83 \n15 | Mozambique | 38.24 \n16 | Bangladesh | 37.57 \n17 | Sudan | 37.31 \n18 | Nepal | 37.02 \n19 | Zambia | 36.60 \n20 | Djibouti | 36.35 \n \n_These statistics are based on detection verdicts returned by OAS and ODS Anti-Virus modules received from users of Kaspersky Lab products who consented to provide statistical data. The data include detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera and phone memory cards, or external hard drives. \nExcluded are countries with relatively few Kaspersky Lab users (under 10,000). \n** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country._\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175902/180803-it-threat-evolution-q2-2018-statistics-22.png>)\n\n_Geography of malicious web attacks in Q2 2018 (ranked by percentage of users attacked)_\n\nOn average, 19.58% of computers globally faced at least one Malware-class local threat in Q2.", "cvss3": {}, "published": "2018-08-06T10:00:04", "type": "securelist", "title": "IT threat evolution Q2 2018. Statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2018-4990", "CVE-2018-5002", "CVE-2018-8120", "CVE-2018-8174"], "modified": "2018-08-06T10:00:04", "id": "SECURELIST:A2A995C1C898D3DA4DB008FBA6AA149E", "href": "https://securelist.com/it-threat-evolution-q2-2018-statistics/87170/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}