CVE-2022-22986 - OpenCVE

Netcommunity OG410X and OG810X series (Netcommunity OG410Xa, OG410Xi, OG810Xa, and OG810Xi firmware Ver.2.28 and earlier) allow an attacker on the adjacent network to execute an arbitrary OS command via a specially crafted config file.

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:A/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Ntt-east	Og410xi Firmware Og410xa Og810xa Firmware Og810xa Og810xi Firmware Og410xa Firmware Og410xi Og810xi

Configuration 1 [-]

AND

cpe:2.3:o:ntt-east:og410xa_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ntt-east:og410xa:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:ntt-east:og410xi_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ntt-east:og410xi:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:ntt-east:og810xa_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ntt-east:og810xa:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:ntt-east:og810xi_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ntt-east:og810xi:-:*:*:*:*:*:*:*

References

Link	Resource
https://business.ntt-east.co.jp/topics/2022/03_22.html	Vendor Advisory
https://jvn.jp/en/vu/JVNVU94900322/index.html	Third Party Advisory VDB Entry
https://www.ntt-west.co.jp/smb/kiki_info/info/220322.html	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: jpcert

Published: 2022-03-31T07:20:41

Updated: 2022-03-31T07:20:41

Reserved: 2022-02-02T00:00:00

Link: CVE-2022-22986

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-03-31T08:15:08.213

Modified: 2022-04-08T13:23:56.937

Link: CVE-2022-22986

JSON object: View

Redhat Information

No data.

CWE

CWE-78

{"containers": {"cna": {"affected": [{"product": "Netcommunity OG410X and OG810X series", "vendor": "NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION (NTT East) and NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION (NTT West)", "versions": [{"status": "affected", "version": "Netcommunity OG410Xa, OG410Xi, OG810Xa and OG810Xi firmware Ver.2.28 and earlier"}]}], "descriptions": [{"lang": "en", "value": "Netcommunity OG410X and OG810X series (Netcommunity OG410Xa, OG410Xi, OG810Xa, and OG810Xi firmware Ver.2.28 and earlier) allow an attacker on the adjacent network to execute an arbitrary OS command via a specially crafted config file."}], "problemTypes": [{"descriptions": [{"description": "OS Command Injection", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-03-31T07:20:41", "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://business.ntt-east.co.jp/topics/2022/03_22.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.ntt-west.co.jp/smb/kiki_info/info/220322.html"}, {"tags": ["x_refsource_MISC"], "url": "https://jvn.jp/en/vu/JVNVU94900322/index.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vultures@jpcert.or.jp", "ID": "CVE-2022-22986", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Netcommunity OG410X and OG810X series", "version": {"version_data": [{"version_value": "Netcommunity OG410Xa, OG410Xi, OG810Xa and OG810Xi firmware Ver.2.28 and earlier"}]}}]}, "vendor_name": "NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION (NTT East) and NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION (NTT West)"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Netcommunity OG410X and OG810X series (Netcommunity OG410Xa, OG410Xi, OG810Xa, and OG810Xi firmware Ver.2.28 and earlier) allow an attacker on the adjacent network to execute an arbitrary OS command via a specially crafted config file."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "OS Command Injection"}]}]}, "references": {"reference_data": [{"name": "https://business.ntt-east.co.jp/topics/2022/03_22.html", "refsource": "MISC", "url": "https://business.ntt-east.co.jp/topics/2022/03_22.html"}, {"name": "https://www.ntt-west.co.jp/smb/kiki_info/info/220322.html", "refsource": "MISC", "url": "https://www.ntt-west.co.jp/smb/kiki_info/info/220322.html"}, {"name": "https://jvn.jp/en/vu/JVNVU94900322/index.html", "refsource": "MISC", "url": "https://jvn.jp/en/vu/JVNVU94900322/index.html"}]}}}}, "cveMetadata": {"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "cveId": "CVE-2022-22986", "datePublished": "2022-03-31T07:20:41", "dateReserved": "2022-02-02T00:00:00", "dateUpdated": "2022-03-31T07:20:41", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ntt-east:og410xa_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "D7861472-045E-4996-8161-A501710728C9", "versionEndIncluding": "2.28", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ntt-east:og410xa:-:*:*:*:*:*:*:*", "matchCriteriaId": "153F1AD9-3DC9-4D40-A211-A773D9E5F702", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ntt-east:og410xi_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "450EE2C9-75D1-43C2-B872-0C0D80E928D1", "versionEndIncluding": "2.28", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ntt-east:og410xi:-:*:*:*:*:*:*:*", "matchCriteriaId": "315D2DEB-B1FD-4E68-91C3-64882032DAAD", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ntt-east:og810xa_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE3DFA4E-A389-4CE3-8941-C82C0799F046", "versionEndIncluding": "2.28", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ntt-east:og810xa:-:*:*:*:*:*:*:*", "matchCriteriaId": "3FDD45EF-B29A-4D53-889E-1D276F9844E5", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ntt-east:og810xi_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "1D54251A-4FAD-4D80-9005-1AF31ABC87C7", "versionEndIncluding": "2.28", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ntt-east:og810xi:-:*:*:*:*:*:*:*", "matchCriteriaId": "3CA0C9D4-D0C8-4F5F-A62D-3E733D452CE9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Netcommunity OG410X and OG810X series (Netcommunity OG410Xa, OG410Xi, OG810Xa, and OG810Xi firmware Ver.2.28 and earlier) allow an attacker on the adjacent network to execute an arbitrary OS command via a specially crafted config file."}, {"lang": "es", "value": "Las series Netcommunity OG410X y OG810X (firmware Netcommunity OG410Xa, OG410Xi, OG810Xa y OG810Xi Versiones 2.28 y anteriores) permiten a un atacante en la red adyacente ejecutar un comando de Sistema Operativo arbitrario por medio de un archivo de configuraci\u00f3n especialmente dise\u00f1ado"}], "id": "CVE-2022-22986", "lastModified": "2022-04-08T13:23:56.937", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 8.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-31T08:15:08.213", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"], "url": "https://business.ntt-east.co.jp/topics/2022/03_22.html"}, {"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://jvn.jp/en/vu/JVNVU94900322/index.html"}, {"source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"], "url": "https://www.ntt-west.co.jp/smb/kiki_info/info/220322.html"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}