8 December 2018

On December 5th, 2018 Adobe published security bulletin APSB18-41[1] for critical vulnerability CVE-2018-15928 in the widely used Flash Player. Gigamon Applied Threat Research (ATR) reported the vulnerability on November 29th, 2018 to Adobe. They detected the issue some days before while analyzing a malicious word document that was uploaded to VirusTotal from a Ukrainian IP address. For a detailed analysis of the attack and the vulnerability see [2][3].

Successful exploitation of CVE-2018-15928 could lead to Arbitrary Code Execution in the context of the current user. Due to RedHat the CVSS3 Base Metrics is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H with a CVSS3 Base Score of 8.8.

Zero days are not a rare phenomenon. Between 2013 and 2017[4] about 60% of the exploits were disclosed before the related CVE was published.

For about 20% of vulnerabilities in the NVD exploits are published in the exploit database[5]. Only about 1% of the vulnerabilities are exploited in the wild. Thus CVE-2018-15928 is a really rare event.

Remote code/script execution (RxE) vulnerabilities like CVE-2018-15928 represent about 20% of all vulnerabilities. 43% of the exploits published between 1988 and 2018 are related to RxE vulnerabilities.

RxE Vulnerabilities. Data: 1988-2018

Exploits for RxE Vulnerabilities. Data: 1988-2018

About 5% of the RxE vulnerabilities are exploited in the wild.

This means, that RxE vulnerabilities are 5 times more often exploited in the wild then Non-RxE vulnerabilities. They are hacker’s favorites!

What does the mean for our vulnerability management strategy?

• The remediation process must be started directly upon publication of an RxE vulnerability in the NVD or the disclosure of an exploit for an RxE in the exploit database.
• In scope for the first remediation wave must be at least all systems facing the internet, e.g. workstations, servers in the DMZ or in public clouds.
• Gathering intelligence about new vulnerabilities from a plethora of publicly available sources (OSINT) is a time-consuming task. A threat intelligence service can speed-up information gathering and reduces the workload of your IT security staff.
• In addition, since remediation takes some time, it makes sense to invest in means for enhancing the resilience of application systems.

Expect the worst and be prepared. Or, to echo Hamlet:

To be, or not to be, that is the question:
Whether ’tis nobler in the mind to suffer
The slings and arrows of outrageous fortune,
Or to take arms against a sea of troubles,
And by opposing, end them? To die: to sleep;

Have a good weekend.

1. Adobe. Security updates available for Flash Player | APSB18-42 [Internet]. 2018 [cited 2018 Dec 8]. Available from: https://helpx.adobe.com/security/products/flash-player/apsb18-42.html

2. Gigamon Threat Research Team. Adobe Flash Zero-Day Exploited In the Wild [Internet]. Gigamon ATR Blog. 2018 [cited 2018 Dec 8]. Available from: https://atr-blog.gigamon.com/2018/12/05/adobe-flash-zero-day-exploited-in-the-wild/

3. Qihoo 360 Advanced Threat Response Team. Operation Poison Needles – APT Group Attacked the Polyclinic of the Presidential Administration of Russia, Exploiting a Zero-day [Internet]. 2018 [cited 2018 Dec 8]. Available from: http://blogs.360.cn/post/PoisonNeedles_CVE-2018-15982_EN.html

4. Jochem K. About 60% of exploits are published before the CVE. What does this mean for your cyber security strategy? [Internet]. IT Security Matters. 2018 [cited 2018 Dec 8]. Available from: https://klausjochem.me/2018/11/04/about-60-of-exploits-are-published-before-the-cve-what-does-this-mean-for-your-cyber-security-strategy/

5. Offensive Security. Offensive Security’s Exploit Database Archive [Internet]. Exploit Database. [cited 2018 Nov 4]. Available from: https://www.exploit-db.com/