CVE-2017-11292
Published: 22 October 2017
Summary
CVE-2017-11292 is a high-severity Type Confusion (CWE-843) vulnerability in Adobe Flash Player. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 2.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
Adobe Flash Player versions 27.0.0.159 and earlier contain a flawed bytecode verification procedure that permits an untrusted value to be used when calculating an array index. This flaw produces a type confusion condition, tracked as CWE-843, that can be leveraged for arbitrary code execution. The vulnerability carries a CVSS 3.1 base score of 8.8 with network attack vector, low complexity, and no required privileges.
An attacker can deliver malicious Flash content over the network that triggers the issue when rendered by the affected player. Successful exploitation grants the attacker the ability to execute arbitrary code in the context of the current user, provided the victim interacts with the content.
Adobe addressed the issue in security bulletin APSB17-32, and corresponding updates were issued through Red Hat (RHSA-2017:2899), Gentoo (GLSA-201710-22), and other distribution channels. Practitioners should apply the vendor-supplied Flash Player updates immediately and consider disabling or removing the plugin where Flash usage is no longer required.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-2926
Vulnerability details
Adobe Flash Player version 27.0.0.159 and earlier has a flawed bytecode verification procedure, which allows for an untrusted value to be used in the calculation of an array index. This can lead to type confusion, and successful exploitation could lead…
more
to arbitrary code execution.
- CWE(s)
- KEV Date Added
- 03 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor-supplied Flash Player patches that correct the bytecode verification flaw.
Mandates disabling or removing the Flash Player plugin when its use is no longer required, eliminating the attack surface.
Establishes usage restrictions and implementation guidance for mobile code technologies such as Flash.