Lucene search

TwcertCVELIST:CVE-2021-28176

HistoryApr 06, 2021 - 5:01 a.m.

CVE-2021-28176 ASUS BMC's firmware: buffer overflow - DNS configuration function

2021-04-0605:01:59

CWE-120

twcert

www.cve.org

asus

bmc

firmware

buffer overflow

dns configuration

vulnerability

remote attackers

web service

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

AI Score

5.6

Confidence

High

EPSS

0.003

Percentile

71.8%

JSON

The DNS configuration function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote attackers use the leakage to abnormally terminate the Web service.

CNA Affected

[
  {
    "product": "BMC firmware for Z10PR-D16",
    "vendor": "ASUS",
    "versions": [
      {
        "status": "affected",
        "version": "1.14.51"
      }
    ]
  },
  {
    "product": "BMC firmware for ASMB8-iKVM",
    "vendor": "ASUS",
    "versions": [
      {
        "status": "affected",
        "version": "1.14.51"
      }
    ]
  },
  {
    "product": "BMC firmware for Z10PE-D16 WS",
    "vendor": "ASUS",
    "versions": [
      {
        "status": "affected",
        "version": "1.14.2"
      }
    ]
  }
]

References

www.asus.com/content/ASUS-Product-Security-Advisory/

www.asus.com/tw/support/callus/

www.twcert.org.tw/tw/cp-132-4544-0a409-1.html

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

AI Score

5.6

Confidence

High

EPSS

0.003

Percentile

71.8%

JSON

Related for CVELIST:CVE-2021-28176