米国土安全保障省サイバーセキュリティ・インフラストラクチャセキュリティ庁(CISA: Cybersecurity and Infrastructure Security Agency)は2022年6月8日(米国時間)、「CISA Adds 36 Known Exploited Vulnerabilities to Catalog |CISA」において、「Known Exploited Vulnerabilities Catalog」に36個の脆弱性を追加したと伝えた。これら脆弱性はサイバー犯罪者によって積極的に悪用されていることが確認されており注意が必要。
-
CISA Adds 36 Known Exploited Vulnerabilities to Catalog |CISA
影響を受ける主な製品やサービスは次のとおり。
- CVE-2022-31460 Owl Labs - Meeting Owl Pro and Whiteboard Owl
- CVE-2019-7195 QNAP - Photo Station
- CVE-2019-7194 QNAP - Photo Station
- CVE-2019-7193 QNAP - QTS
- CVE-2019-7192 QNAP - Photo Station
- CVE-2019-5825 Google - Chromium V8 Engine
- CVE-2019-15271 Cisco - RV Series Routers
- CVE-2018-6065 Google - Chromium V8 Engine
- CVE-2018-4990 Adobe - Acrobat and Reader
- CVE-2018-17480 Google - Chromium V8 Engine
- CVE-2018-17463 Google - Chromium V8 Engine
- CVE-2017-6862 NETGEAR - Multiple Devices
- CVE-2017-5070 Google - Chromium V8 Engine
- CVE-2017-5030 Google - Chromium V8 Engine
- CVE-2016-5198 Google - Chromium V8 Engine
- CVE-2016-1646 Google - Chromium V8 Engine
- CVE-2013-1331 Microsoft - Office
- CVE-2012-5054 Adobe - Flash Player
- CVE-2012-4969 Microsoft - Internet Explorer
- CVE-2012-1889 Microsoft - XML Core Services
- CVE-2012-0767 Adobe - Flash Player
- CVE-2012-0754 Adobe - Flash Player
- CVE-2012-0151 Microsoft - Windows
- CVE-2011-2462 Adobe - Acrobat and Reader
- CVE-2011-0609 Adobe - Flash Player
- CVE-2010-2883 Adobe - Reader and Acrobat
- CVE-2010-2572 Microsoft - PowerPoint
- CVE-2010-1297 Adobe - Flash Player
- CVE-2009-4324 Adobe - Acrobat and Reader
- CVE-2009-3953 Adobe - Acrobat and Reader
- CVE-2009-1862 Adobe - Acrobat and Reader, Flash Player
- CVE-2009-0563 Microsoft - Office
- CVE-2009-0557 Microsoft - Office
- CVE-2008-0655 Adobe - Acrobat and Reader
- CVE-2007-5659 Adobe - Acrobat and Reader
- CVE-2006-2492 Microsoft - Word
脆弱性の主な内容は次のとおり。
| CVE番号 | 脆弱性内容 |
|---|---|
| CVE-2022-31460 | Owl Labs Meeting Owl and Whiteboard Owl allow attackers to activate Tethering Mode with hard-coded hoothoot credentials via a certain c 150 value. |
| CVE-2019-7195 | QNAP devices running Photo Station contains an external control of file name or path vulnerability allowing remote attackers to access or modify system files. |
| CVE-2019-7194 | QNAP devices running Photo Station contains an external control of file name or path vulnerability allowing remote attackers to access or modify system files. |
| CVE-2019-7193 | QNAP QTS contains an improper input validation vulnerability allowing remote attackers to inject code on the system. |
| CVE-2019-7192 | QNAP NAS devices running Photo Station contain an improper access control vulnerability allowing remote attackers to gain unauthorized access to the system. |
| CVE-2019-5825 | Google Chromium V8 contains an out-of-bounds write vulnerability which allows a remote attacker to potentially exploit heap corruption. |
| CVE-2019-15271 | A deserialization of untrusted data vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an attacker to execute code with root privileges. |
| CVE-2018-6065 | Google Chromium V8 Engine contains an integer overflow vulnerability which allows a remote attacker to potentially exploit heap corruption. |
| CVE-2018-4990 | Adobe Acrobat and Reader have a double free vulnerability that could lead to remote code execution. |
| CVE-2018-17480 | Google Chromium V8 contains an out-of-bounds write vulnerability which allows a remote attacker to execute code inside a sandbox. |
| CVE-2018-17463 | Google Chromium V8 contains an unspecified vulnerability which allows for remote code execution. |
| CVE-2017-6862 | Multiple NETGEAR devices contain a buffer overflow vulnerability that allow for authentication bypass and remote code execution. |
| CVE-2017-5070 | Google Chromium V8 Engine contains a type confusion vulnerability which allows a remote attacker to execute code inside a sandbox. |
| CVE-2017-5030 | Google Chromium V8 Engine contains a memory corruption vulnerability which allows a remote attacker to execute code. |
| CVE-2016-5198 | Google Chromium V8 Engine contains an out-of-bounds memory vulnerability. |
| CVE-2016-1646 | Google Chromium V8 contains an out-of-bounds read vulnerability. |
| CVE-2013-1331 | Microsoft Office contains a buffer overflow vulnerability which allows remote attackers to execute code via crafted PNG data in an Office document. |
| CVE-2012-5054 | Adobe Flash Player contains an integer overflow vulnerability which allows remote attackers to execute code via malformed arguments. |
| CVE-2012-4969 | Microsoft Internet Explorer contains a use-after-free vulnerability which allows remote attackers to execute code via a crafted web site. |
| CVE-2012-1889 | Microsoft XML Core Services contains a memory corruption vulnerability which could allow for remote code execution. |
| CVE-2012-0767 | Adobe Flash Player contains a XSS vulnerability which allows remote attackers to inject web script or HTML. |
| CVE-2012-0754 | Adobe Flash Player contains a memory corruption vulnerability which allows remote attackers to execute code or cause denial-of-service. |
| CVE-2012-0151 | The Authenticode Signature Verification function in Microsoft Windows (WinVerifyTrust) does not properly validate the digest of a signed portable executable (PE) file, which allows user-assisted remote attackers to execute code. |
| CVE-2011-2462 | The Universal 3D (U3D) component in Adobe Acrobat and Reader contains a memory corruption vulnerability which could allow remote attackers to execute code or cause denial-of-service. |
| CVE-2011-0609 | Adobe Flash Player contains an unspecified vulnerability which allows remote attackers to execute code or cause denial-of-service. |
| CVE-2010-2883 | Adobe Acrobat and Reader contain a stack-based buffer overflow vulnerability which allows remote attackers to execute code or cause denial-of-service. |
| CVE-2010-2572 | Microsoft PowerPoint contains a buffer overflow vulnerability that alllows for remote code execution. |
| CVE-2010-1297 | Adobe Flash Player contains a memory corruption vulnerability that allows remote attackers to execute code or cause denial-of-service. |
| CVE-2009-4324 | Use-after-free vulnerability in Adobe Acrobat and Reader allows remote attackers to execute code via a crafted PDF file. |
| CVE-2009-3953 | Adobe Acrobat and Reader contains an array boundary issue in Universal 3D (U3D) support that could lead to remote code execution. |
| CVE-2009-1862 | Adobe Acrobat and Reader and Adobe Flash Player allows remote attackers to execute code or cause denial-of-service. |
| CVE-2009-0563 | Microsoft Office contains a buffer overflow vulnerability that allows remote attackers to execute code via a Word document with a crafted tag containing an invalid length field. |
| CVE-2009-0557 | Microsoft Office contains an object record corruption vulnerability which allows remote attackers to execute code via a crafted Excel file with a malformed record object. |
| CVE-2008-0655 | Adobe Acrobat and Reader contains an unespecified vulnerability described as a design flaw which could allow a specially crafted file to be printed silently an arbitrary number of times. |
| CVE-2007-5659 | Adobe Acrobat and Reader contain a buffer overflow vulnerability which allows remote attackers to execute code via a PDF file with long arguments to unspecified JavaScript methods. |
| CVE-2006-2492 | Microsoft Word and Microsoft Works Suites contain a malformed object pointer which allows attackers to execute code. |
今回カタログに追加された脆弱性は、最も古いもので2006年に発行されたものが含まれている。カタログにはアクティブに悪用されている脆弱性が追加される仕組みになっており、脆弱性自体は古いものが含まれることも多い。長期にわたって使っている製品がこうした脆弱性を抱えたままになっていることもあるため、カタログに追加された製品に関しては再度情報を確認するとともに、必要に応じてアップデートを適用することが望まれる。
