CVE-2015-0310
published 2015-01-23CVE-2015-0310: Adobe Flash Player before 13.0.0.262 and 14.x through 16.x before 16.0.0.287 on Windows and OS X and before 11.2.202.438 on Linux does not properly restrict…
PriorityP183high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-15
Exploited in the wild
EPSS
15.22%
96.3th percentile
Adobe Flash Player before 13.0.0.262 and 14.x through 16.x before 16.0.0.287 on Windows and OS X and before 11.2.202.438 on Linux does not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism on Windows, and have an unspecified impact on other platforms, via unknown vectors, as exploited in the wild in January 2015.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | flash_player | < 11.2.202.438 | 11.2.202.438 |
| adobe | flash_player | < 13.0.0.262 | 13.0.0.262 |
| adobe | flash_player | >= 14.0 < 16.0.0.287 | 16.0.0.287 |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
SIDs: 29066, 31332, 33182, 33183, 33184, 33185, 33186, 33187, 33188
- →The Angler EK 0-day exploit is selectively served only to specific User Agents — Chrome-based or non-standard user agents are served other exploits but NOT the Flash 0-day. Detection should focus on IE/Firefox UA strings receiving Flash exploit content. ↗
- →Angler EK domains hosting the CVE-2015-0310 exploit were registered under the single email address [email protected]. Pivoting on this registrant can surface additional malicious infrastructure. ↗
- →Domains hosting the exploit were rapidly registered and rotated, typically used for only ~24 hours. Monitor for newly registered domains resolving to 46.105.251.7 or 94.23.247.180. ↗
- →The exploit runs entirely in memory and does not use common monitored API calls such as CreateProcess or WriteFile, making host-based AV detection harder. Focus on memory-based or network-based detection. ↗
- →A GET request to www.ecb.europa.eu observed post-compromise is a high-probability indicator of Bedep infection, which was a primary payload delivered via the Angler EK campaign exploiting CVE-2015-0310. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vulncheck7.8HIGH
cisa7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Adobe Flash Player ASLR Bypass Vulnerability
cisa·2022-05-25·CVSS 7.8
CVE-2015-0310 [HIGH] CWE-264 Adobe Flash Player ASLR Bypass Vulnerability
Vulnerability: Adobe Flash Player ASLR Bypass Vulnerability
Affected: Adobe Flash Player
Adobe Flash Player does not properly restrict discovery of memory addresses, which allows attackers to bypass the address space layout randomization (ASLR) protection mechanism.
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2015-0310
Remediation Due Date: 2022-06-15
Red Hat
flash-plugin: Vulnerability that could be used to circumvent memory randomization mitigations (APSB15-02)
vendor_redhat·2015-01-22·CVSS 7.8
CVE-2015-0310 [HIGH] flash-plugin: Vulnerability that could be used to circumvent memory randomization mitigations (APSB15-02)
flash-plugin: Vulnerability that could be used to circumvent memory randomization mitigations (APSB15-02)
Adobe Flash Player before 13.0.0.262 and 14.x through 16.x before 16.0.0.287 on Windows and OS X and before 11.2.202.438 on Linux does not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism on Windows, and have an unspecified impact on other platforms, via unknown vectors, as exploited in the wild in January 2015.
GHSA
GHSA-3qq4-w757-rjqm: Adobe Flash Player before 13
ghsa_unreviewed·2022-05-17
CVE-2015-0310 [HIGH] CWE-200 GHSA-3qq4-w757-rjqm: Adobe Flash Player before 13
Adobe Flash Player before 13.0.0.262 and 14.x through 16.x before 16.0.0.287 on Windows and OS X and before 11.2.202.438 on Linux does not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism on Windows, and have an unspecified impact on other platforms, via unknown vectors, as exploited in the wild in January 2015.
OSV
CVE-2015-0310: Adobe Flash Player before 13
osv·2015-01-23·CVSS 7.8
CVE-2015-0310 [HIGH] CVE-2015-0310: Adobe Flash Player before 13
Adobe Flash Player before 13.0.0.262 and 14.x through 16.x before 16.0.0.287 on Windows and OS X and before 11.2.202.438 on Linux does not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism on Windows, and have an unspecified impact on other platforms, via unknown vectors, as exploited in the wild in January 2015.
VulnCheck
Adobe Flash Player ASLR Bypass Vulnerability
vulncheck·2015·CVSS 7.8
CVE-2015-0310 [HIGH] CWE-264 Adobe Flash Player ASLR Bypass Vulnerability
Adobe Flash Player ASLR Bypass Vulnerability
Adobe Flash Player does not properly restrict discovery of memory addresses, which allows attackers to bypass the address space layout randomization (ASLR) protection mechanism.
Affected: Adobe Flash Player
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Known Ransomware Campaign Use: Known
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cve.org/CVERecord?id=CVE-2015-0310; https://www.fireeye.com/blog/threat-research/2015/01/a_different_exploit.html; https://dl.acm.org/doi/pdf/10.1145/3465481.3465758; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-06-15
No detection rules found.
No public exploits indexed.
Talos
Bedep Lurking in Angler's Shadows
blogs_talos·2016-02-09·CVSS 7.8
[HIGH] Bedep Lurking in Angler's Shadows
This post is authored by Nick Biasini.
In October 2015, Talos released our detailed investigation of the Angler Exploit Kit which outlined the infrastructure and monetary impact of an exploit kit campaign delivering ransomware. During the investigation we found that two thirds of Angler's payloads were some variation of ransomware and noted one of the other major payloads was Bedep. Bedep is a malware downloader that is exclusive to Angler. This post will discuss the Bedep side of Angler and draw some pretty clear connections between Angler and Bedep.
Adversaries continue to evolve and have become increasingly good at hiding the connections to the nefarious activities in which they are involved. As security researchers we are always looking for the bread crumbs that can link these threat
Krebs
Flash Patch Targets Zero-Day Exploit
blogs_krebs·2015-01-26·CVSS 7.8
[HIGH] Flash Patch Targets Zero-Day Exploit
Adobe today released an important security update for its Flash Player software that fixes a vulnerability which is already being exploited in active attacks. Compounding the threat, the company said it is investigating reports that crooks may have developed a separate exploit that gets around the protections in this latest update.
Early indicators of a Flash zero-day vulnerability came this week in a blog post by Kafeine, a noted security researcher who keeps close tabs on new innovations in “exploit kits.” Often called exploit packs — exploit kits are automated software tools that help thieves booby-trap hacked sites to deploy malicious code.
Kafeine wrote that a popular crimeware package called the Angler Exploit Kit was targeting previously undocumented vulnerability in Flash that ap
Talos
Flash 0-day Exploited by Angler Exploit Kit
blogs_talos·2015-01-23·CVSS 8.8
[HIGH] Flash 0-day Exploited by Angler Exploit Kit
## Flash 0-day Exploited by Angler Exploit Kit
This post was authored by Nick Biasini , Earl Carter and Jaeson Schultz
Flash has long been a favorite target among Exploit Kits (EK). In October 2014 the Angler EK was believed to be targeting a new Flash vulnerability . The bug that the Angler exploit kit was attempting to exploit had been “accidentally” patched by Adobe’s APSB14-22 update. According to F-Secure , the vulnerability that Angler was actually attempting to exploit was an entirely new bug, CVE-2014-8439 . The bug was severe enough that Adobe fixed it out-of-band.
Fast forward to January 2015. With the emergence of this new Flash 0-day bug , we have more evidence that the Angler Exploit Kit developers are actively working on discovering fresh bugs in Flash for themselves. The
Talos
Flash 0-day Exploited by Angler Exploit Kit
blogs_talos·2015-01-23·CVSS 8.8
CVE-2014-8439 [HIGH] Flash 0-day Exploited by Angler Exploit Kit
This post was authored by Nick Biasini, Earl Carter and Jaeson Schultz
Flash has long been a favorite target among Exploit Kits (EK). In October 2014 the Angler EK was believed to be targeting a new Flash vulnerability. The bug that the Angler exploit kit was attempting to exploit had been “accidentally” patched by Adobe’s APSB14-22 update. According to F-Secure, the vulnerability that Angler was actually attempting to exploit was an entirely new bug, CVE-2014-8439. The bug was severe enough that Adobe fixed it out-of-band.
Fast forward to January 2015. With the emergence of this new Flash 0-day bug, we have more evidence that the Angler Exploit Kit developers are actively working on discovering fresh bugs in Flash for themselves. The group is incorporating these exploits into the Angler
Qualys
New 0-day vulnerability in Adobe Flash - Update 5 | Qualys
blogs_qualys·2015-01-21·CVSS 7.8
CVE-2015-0311 [HIGH] New 0-day vulnerability in Adobe Flash - Update 5 | Qualys
Update: Adobe has published a new version of the Flash player (16.0.0.296) that addresses CVE-2015-0311). At the moment only users of the automated Adobe Update service are getting the update. You can go into your control panel and perform a manual update to see the version and trigger a manual update if necessary:
So that means that at the moment my Safari browser is the tool of choice to use. Google Chrome and Internet Explorer use their own update mechanism, which is normally an advantage as they tend to be fast and convenient have not gotten their automated updates yet.You can check on the version of your Flash plugin here at the official Adobe page. A downloadable standalone update (APSB15-03) suitable for enterprise patch management systems is expected next week. If you decide not t
Krebs
Flash Patch Targets Zero-Day Exploit – Krebs on Security
blogs_krebs·2015-01-01·CVSS 7.8
[HIGH] Flash Patch Targets Zero-Day Exploit – Krebs on Security
Adobe today released an important security update for its Flash Player software that fixes a vulnerability which is already being exploited in active attacks. Compounding the threat, the company said it is investigating reports that crooks may have developed a separate exploit that gets around the protections in this latest update.
Early indicators of a Flash zero-day vulnerability came this week in a blog post by Kafeine, a noted security researcher who keeps close tabs on new innovations in “exploit kits.” Often called exploit packs — exploit kits are automated software tools that help thieves booby-trap hacked sites to deploy malicious code.
Kafeine wrote that a popular crimeware package called the Angler Exploit Kit was targeting previously undocumented vulnerability in Flash that ap
Bugzilla
CVE-2015-0310 flash-plugin: Vulnerability that could be used to circumvent memory randomization mitigations (APSB15-02)
bugzilla·2015-01-23·CVSS 7.8
CVE-2015-0310 [HIGH] CVE-2015-0310 flash-plugin: Vulnerability that could be used to circumvent memory randomization mitigations (APSB15-02)
CVE-2015-0310 flash-plugin: Vulnerability that could be used to circumvent memory randomization mitigations (APSB15-02)
Adobe has released Flash Player 11.2.202.438 for Linux to correct the following flaws:
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These updates address a vulnerability that could be used to circumvent memory randomization mitigations on the Windows platform.
External References:
http://helpx.adobe.com/security/products/flash-player/apsb15-02.html
Discussion:
This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2015:0094 https://rhn.redhat.com/errata/RHSA-2015-0094.html
Bugzilla
(CVE-2015-0311) Blocklist request for flash 0days affecting version 16.0.0.287, 13.0.0.262, and 11.2.202.438
bugzilla·2015-01-22·CVSS 7.8
CVE-2015-0311 [HIGH] (CVE-2015-0311) Blocklist request for flash 0days affecting version 16.0.0.287, 13.0.0.262, and 11.2.202.438
(CVE-2015-0311) Blocklist request for flash 0days affecting version 16.0.0.287, 13.0.0.262, and 11.2.202.438
a 0-day was found in flash according to https://blog.malwarebytes.org/exploits-2/2015/01/new-adobe-flash-zero-day-found-in-the-wild/ and a update to version 16.0.0.287 was apparently done today.
So i guess we need to blocklist older versions of flash due to the 0day like version 16.0.0.257
note: if we do the blocklist, could this be cordinated with schalk (:espressive) so we don't melt plugincheck again like last time when there was a flash 0day ? :)
Discussion:
Is there a CVE or other post that details which versions of Flash are affected?
---
Details:
https://helpx.adobe.com/security/products/flash-player/apsb15-02.html
This fixes _a_ bug that was exploited in the wild (CV
http://helpx.adobe.com/security/products/flash-player/apsb15-02.htmlhttp://secunia.com/advisories/62452http://secunia.com/advisories/62601http://secunia.com/advisories/62660http://secunia.com/advisories/62740http://security.gentoo.org/glsa/glsa-201502-02.xmlhttp://www.securityfocus.com/bid/72261http://www.securitytracker.com/id/1031609http://helpx.adobe.com/security/products/flash-player/apsb15-02.htmlhttp://secunia.com/advisories/62452http://secunia.com/advisories/62601http://secunia.com/advisories/62660http://secunia.com/advisories/62740http://security.gentoo.org/glsa/glsa-201502-02.xmlhttp://www.securityfocus.com/bid/72261http://www.securitytracker.com/id/1031609https://github.com/cisagov/vulnrichment/issues/196https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-0310
2015-01-23
Published
2022-05-25
Added to CISA KEV
Exploited in the wild