JVNVU#94900322
Netcommunity OG410X and OG810X VoIP gateway/Hikari VoIP adapter for business offices vulnerable to OS command injection
Overview
Netcommunity OG410X and OG810X series provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION (NTT East) and NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION (NTT West) contain an OS command injection vulnerability.
Products Affected
NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION
- Netcommunity OG410Xa, OG410Xi, OG810Xa and OG810Xi firmware Ver.2.28 and earlier
NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION
- Netcommunity OG410Xa, OG410Xi, OG810Xa and OG810Xi firmware Ver.2.28 and earlier
Description
Netcommunity OG410X and OG810X series provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION and NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contain an OS command injection vulnerability (CWE-78, CVE-2022-22986).
Impact
An arbitrary OS command may be executed by an attacker via specially crafted config files.
Solution
Update the firmware
Apply the appropriate firmware update according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION | For the users of Netcommunity OG410X810X series (Text in Japanese) |
| NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION | For the users of "Netcommunity OG410X810X series" (Text in Japanese) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
Chuya Hayakawa of 00One, Inc. reported this vulnerability to NTT East and NTT West and coordinated. NTT East, NTT West and JPCERT/CC published respective advisories in order to notify users of this vulnerability.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2022-22986 |
| JVN iPedia |
|