JVNDB-2022-001477

Netcommunity OG410X and OG810X VoIP gateway/Hikari VoIP adapter for business offices vulnerable to OS command injection

Netcommunity OG410X and OG810X series provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION and NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contain an OS command injection vulnerability (CWE-78, CVE-2022-22986).

Chuya Hayakawa of 00One, Inc. reported this vulnerability to NTT East and NTT West and coordinated. NTT East, NTT West and JPCERT/CC published respective advisories in order to notify users of this vulnerability.

NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION

• Netcommunity OG410Xa firmware Ver.2.28 and earlier
• Netcommunity OG410Xi firmware Ver.2.28 and earlier
• Netcommunity OG810Xa firmware Ver.2.28 and earlier
• Netcommunity OG810Xi firmware Ver.2.28 and earlier

NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION

• Netcommunity OG410Xa firmware Ver.2.28 and earlier
• Netcommunity OG410Xi firmware Ver.2.28 and earlier
• Netcommunity OG810Xa firmware Ver.2.28 and earlier
• Netcommunity OG810Xi firmware Ver.2.28 and earlier

An arbitrary OS command may be executed by an attacker via specially crafted config files.

[Update the firmware]
Apply the appropriate firmware update according to the information provided by the developer.

NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION

• Nippon Telegraph and Telephone West Corporation : For the users of "Netcommunity OG410X810X series" (in Japanese)

NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION

• Nippon Telegraph and Telephone East Corporation : For the users of Netcommunity OG410X810X series (in Japanese)

1. OS Command Injection(CWE-78) [Other]

1. CVE-2022-22986

1. JVN : JVNVU#94900322
2. National Vulnerability Database (NVD) : CVE-2022-22986

• [2022/03/23]
    Web page was published