米国土安全保障省サイバーセキュリティ・インフラストラクチャセキュリティ庁(CISA: Cybersecurity and Infrastructure Security Agency)は2022年6月8日(米国時間)、「CISA Adds 36 Known Exploited Vulnerabilities to Catalog |CISA」において、「Known Exploited Vulnerabilities Catalog」に36個の脆弱性を追加したと伝えた。これら脆弱性はサイバー犯罪者によって積極的に悪用されていることが確認されており注意が必要。

  • CISA Adds 36 Known Exploited Vulnerabilities to Catalog |CISA

    CISA Adds 36 Known Exploited Vulnerabilities to Catalog |CISA

影響を受ける主な製品やサービスは次のとおり。

脆弱性の主な内容は次のとおり。

CVE番号 脆弱性内容
CVE-2022-31460 Owl Labs Meeting Owl and Whiteboard Owl allow attackers to activate Tethering Mode with hard-coded hoothoot credentials via a certain c 150 value.
CVE-2019-7195 QNAP devices running Photo Station contains an external control of file name or path vulnerability allowing remote attackers to access or modify system files.
CVE-2019-7194 QNAP devices running Photo Station contains an external control of file name or path vulnerability allowing remote attackers to access or modify system files.
CVE-2019-7193 QNAP QTS contains an improper input validation vulnerability allowing remote attackers to inject code on the system.
CVE-2019-7192 QNAP NAS devices running Photo Station contain an improper access control vulnerability allowing remote attackers to gain unauthorized access to the system.
CVE-2019-5825 Google Chromium V8 contains an out-of-bounds write vulnerability which allows a remote attacker to potentially exploit heap corruption.
CVE-2019-15271 A deserialization of untrusted data vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an attacker to execute code with root privileges.
CVE-2018-6065 Google Chromium V8 Engine contains an integer overflow vulnerability which allows a remote attacker to potentially exploit heap corruption.
CVE-2018-4990 Adobe Acrobat and Reader have a double free vulnerability that could lead to remote code execution.
CVE-2018-17480 Google Chromium V8 contains an out-of-bounds write vulnerability which allows a remote attacker to execute code inside a sandbox.
CVE-2018-17463 Google Chromium V8 contains an unspecified vulnerability which allows for remote code execution.
CVE-2017-6862 Multiple NETGEAR devices contain a buffer overflow vulnerability that allow for authentication bypass and remote code execution.
CVE-2017-5070 Google Chromium V8 Engine contains a type confusion vulnerability which allows a remote attacker to execute code inside a sandbox.
CVE-2017-5030 Google Chromium V8 Engine contains a memory corruption vulnerability which allows a remote attacker to execute code.
CVE-2016-5198 Google Chromium V8 Engine contains an out-of-bounds memory vulnerability.
CVE-2016-1646 Google Chromium V8 contains an out-of-bounds read vulnerability.
CVE-2013-1331 Microsoft Office contains a buffer overflow vulnerability which allows remote attackers to execute code via crafted PNG data in an Office document.
CVE-2012-5054 Adobe Flash Player contains an integer overflow vulnerability which allows remote attackers to execute code via malformed arguments.
CVE-2012-4969 Microsoft Internet Explorer contains a use-after-free vulnerability which allows remote attackers to execute code via a crafted web site.
CVE-2012-1889 Microsoft XML Core Services contains a memory corruption vulnerability which could allow for remote code execution.
CVE-2012-0767 Adobe Flash Player contains a XSS vulnerability which allows remote attackers to inject web script or HTML.
CVE-2012-0754 Adobe Flash Player contains a memory corruption vulnerability which allows remote attackers to execute code or cause denial-of-service.
CVE-2012-0151 The Authenticode Signature Verification function in Microsoft Windows (WinVerifyTrust) does not properly validate the digest of a signed portable executable (PE) file, which allows user-assisted remote attackers to execute code.
CVE-2011-2462 The Universal 3D (U3D) component in Adobe Acrobat and Reader contains a memory corruption vulnerability which could allow remote attackers to execute code or cause denial-of-service.
CVE-2011-0609 Adobe Flash Player contains an unspecified vulnerability which allows remote attackers to execute code or cause denial-of-service.
CVE-2010-2883 Adobe Acrobat and Reader contain a stack-based buffer overflow vulnerability which allows remote attackers to execute code or cause denial-of-service.
CVE-2010-2572 Microsoft PowerPoint contains a buffer overflow vulnerability that alllows for remote code execution.
CVE-2010-1297 Adobe Flash Player contains a memory corruption vulnerability that allows remote attackers to execute code or cause denial-of-service.
CVE-2009-4324 Use-after-free vulnerability in Adobe Acrobat and Reader allows remote attackers to execute code via a crafted PDF file.
CVE-2009-3953 Adobe Acrobat and Reader contains an array boundary issue in Universal 3D (U3D) support that could lead to remote code execution.
CVE-2009-1862 Adobe Acrobat and Reader and Adobe Flash Player allows remote attackers to execute code or cause denial-of-service.
CVE-2009-0563 Microsoft Office contains a buffer overflow vulnerability that allows remote attackers to execute code via a Word document with a crafted tag containing an invalid length field.
CVE-2009-0557 Microsoft Office contains an object record corruption vulnerability which allows remote attackers to execute code via a crafted Excel file with a malformed record object.
CVE-2008-0655 Adobe Acrobat and Reader contains an unespecified vulnerability described as a design flaw which could allow a specially crafted file to be printed silently an arbitrary number of times.
CVE-2007-5659 Adobe Acrobat and Reader contain a buffer overflow vulnerability which allows remote attackers to execute code via a PDF file with long arguments to unspecified JavaScript methods.
CVE-2006-2492 Microsoft Word and Microsoft Works Suites contain a malformed object pointer which allows attackers to execute code.

今回カタログに追加された脆弱性は、最も古いもので2006年に発行されたものが含まれている。カタログにはアクティブに悪用されている脆弱性が追加される仕組みになっており、脆弱性自体は古いものが含まれることも多い。長期にわたって使っている製品がこうした脆弱性を抱えたままになっていることもあるため、カタログに追加された製品に関しては再度情報を確認するとともに、必要に応じてアップデートを適用することが望まれる。