Command injection

2021-04-0605:15:00

PRIOn knowledge base

www.prio-n.com

7.3 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

75.3%

JSON

The specific function in ASUS BMC’s firmware Web management page (Modify user’s information function) does not filter the specific parameter. As obtaining the administrator permission, remote attackers can launch command injection to execute command arbitrary.

CPENameOperatorVersion
asmb8-ikvm_firmwareeq1.14.51
z10pe-d16_ws_firmwareeq1.14.2
z10pr-d16_firmwareeq1.14.51

Name	Operator	Version
asmb8-ikvm_firmware	eq	1.14.51
z10pe-d16_ws_firmware	eq	1.14.2
z10pr-d16_firmware	eq	1.14.51

References

www.asus.com/content/ASUS-Product-Security-Advisory/

www.asus.com/tw/support/callus/

www.twcert.org.tw/tw/cp-132-4574-b61a6-1.html