cbcvebase.
CVE-2015-0311
published 2015-01-23

CVE-2015-0311: Unspecified vulnerability in Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on Windows and OS X and through 11.2.202.438 on…

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-04
Exploited in the wild
EPSS
85.82%
99.7th percentile
Unspecified vulnerability in Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on Windows and OS X and through 11.2.202.438 on Linux allows remote attackers to execute arbitrary code via unknown vectors, as exploited in the wild in January 2015.

Affected

8 ranges
VendorProductVersion rangeFixed in
adobeflash_player<= 11.2.202.438
adobeflash_player<= 13.0.0.262
adobeflash_player>= 14.0.0.125 < 16.0.0.28716.0.0.287
microsoftinternet_explorer
microsoftinternet_explorer
suselinux_enterprise_desktop
suselinux_enterprise_desktop
suselinux_enterprise_workstation_extension

Detection & IOCsextracted from sources · hover to see the quote

hash56f61bd84f6851dcd749c95ebcbc94b7814bedb12ae72db776e3c27d4be43ef8
hashca0cd15e28620dcb1b2fb5d29fb6daaa88346d8775139607bd9d2f583415e7b8
hash6e2d96990f92864c81277ed3291d79c27e0c326df43eccb050058cc3b1705ade
hash003156c92d99aa8bca0f7bc443a03f32a8ce5e26e940f6681747abbc44e1409c
hash1f6a4a3314b250e73a5649e2495ec131b27840d0948065f2a9c283a689a7b944
ip85.25.107.126
ip207.182.149.14
ip178.32.131.248
ip178.32.131.185
ip85.25.107.127
ip176.103.144.48
ip46.105.251.7
ip94.23.247.180
snort
SIDs: 33271-33274, 33286
snort
SIDs: 29066, 31332, 33182, 33183, 33184, 33185, 33186, 33187, 33188
  • CVE-2015-0311 exploit delivered only to specific User Agents (Internet Explorer and Firefox on Windows 8 and below); Chrome-based or non-standard user agents are served different exploits — filter for non-Chrome UA strings receiving Flash content from Angler EK infrastructure.
  • Angler EK used multi-tier subdomain infrastructure (~1800 landing/exploit subdomains + ~650 redirect subdomains) with algorithmically generated subdomain names (e.g. acfbbfhdahfeh.legitdomain.info) — detect high-entropy subdomain patterns resolving to the listed IPs.
  • New CVE-2015-0311 variants had very low AV detection rates (1/57–3/57) at time of campaign; rely on network-based detection (IDS/NGFW) rather than AV alone for these hashes.
  • Exploit delivered via drive-by-download (malvertising) targeting Internet Explorer and Firefox on Windows 8 and below — prioritize monitoring of these browser/OS combinations for Flash exploit activity.
  • Domains used for exploitation were registered one day and used for only ~24 hours before rotation — short TTL/newly registered domains resolving to the listed IPs are a strong signal of Angler EK activity.
  • ·The ~1800 exploit/landing-page domains and ~650 redirect domains are not statically listed in the report; only the backing IP addresses are provided. Block by IP rather than domain for coverage.
  • ·The domain list for the earlier campaign (as of 1/23/2015) is referenced as an external link and not reproduced in the blog post; only the two associated IPs (46.105.251.7 & 94.23.247.180) are directly actionable.
  • ·Snort SIDs 33271-33274 and 33286 (new variants campaign) and SIDs 29066, 31332, 33182-33188 (initial 0-day campaign) should be verified against the latest Snort/Defense Center ruleset as they may have been updated since publication.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.