CVE-2015-5123
Published: 14 July 2015
Summary
CVE-2015-5123 is a critical-severity Use After Free (CWE-416) vulnerability in Suse Linux Enterprise Desktop. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2015-5123 is a use-after-free vulnerability in the BitmapData class of the ActionScript 3 implementation in Adobe Flash Player. Affected versions include 13.x through 13.0.0.302 and 14.x through 18.0.0.203 on Windows and OS X, along with 11.x through 11.2.202.481 and 12.x through 18.0.0.204 on Linux and Linux Chrome installations. The flaw is tracked as CWE-416 and received a CVSS 3.1 score of 9.8.
Remote attackers can exploit the issue by serving crafted Flash content that overrides a valueOf function, resulting in arbitrary code execution or denial of service via memory corruption. No user interaction or authentication is required for successful exploitation over the network.
OpenSUSE security advisories reference patches and updated packages to address the vulnerability. The issue was exploited in the wild in July 2015 and surfaced publicly through the Hacking Team leak.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2015-5138
Vulnerability details
Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.302 on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through…
more
18.0.0.204 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.
- CWE(s)
- KEV Date Added
- 13 April 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly restricts use of mobile code technologies such as Flash and blocks execution of untrusted AS3 content that triggers the use-after-free flaw.
Requires prompt installation of vendor patches that eliminate the BitmapData use-after-free condition in affected Flash Player versions.
Enforces least functionality by disabling or removing the Flash Player plug-in entirely when its capabilities are not required.