米国土安全保障省サイバーセキュリティ・インフラストラクチャセキュリティ庁(CISA: Cybersecurity and Infrastructure Security Agency)は12月13日(米国時間)、「CISA Adds Five Known Exploited Vulnerabilities to Catalog|CISA」において、「Known Exploited Vulnerabilities Catalog」に5個の脆弱性を追加したと伝えた。

翌日の12月14日(米国時間)には、「CISA Adds One Known Exploited Vulnerability to Catalog | CISA」に、脆弱性を1個追加している。

  • CISA Adds Five Known Exploited Vulnerabilities to Catalog|CISA

    CISA Adds Five Known Exploited Vulnerabilities to Catalog|CISA

影響を受ける主な製品やサービスは次のとおり。

脆弱性の主な内容は次のとおり。

CVE番号 脆弱性の内容
CVE-2022-42856 Apple iOS contains a type confusion vulnerability when processing maliciously crafted web content leading to code execution.
CVE-2022-42475 Multiple versions of Fortinet FortiOS SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute arbitrary code or commands via specifically crafted requests.
CVE-2022-44698 Microsoft Defender SmartScreen contains a security feature bypass vulnerability that could allow an attacker to evade Mark of the Web (MOTW) defenses via a specially crafted malicious file.
CVE-2022-27518 Citrix Application Delivery Controller (ADC) and Gateway, when configured with SAML SP or IdP configuration, contain an authentication bypass vulnerability which allows an attacker to execute code as administrator.
CVE-2022-26500 The Veeam Distribution Service in the Backup & Replication application allows unauthenticated users to access internal API functions. A remote attacker can send input to the internal API which may lead to uploading and executing of malicious code.
CVE-2022-26501 The Veeam Distribution Service in the Backup & Replication application allows unauthenticated users to access internal API functions. A remote attacker can send input to the internal API which may lead to uploading and executing of malicious code.

カタログに追加された脆弱性は積極的に悪用が既に確認されている点に注意が必要。該当する製品を使っている場合は、提供されているCVE情報やベンダーの提供する情報を確認するとともに、迅速にアップデートを適用することが望まれる。