CVE-2021-28187 — Classic Buffer Overflow in BMC Firmware FOR Asmb8-ikvm

CWE-120 — Classic Buffer Overflow3 documents3 sources

Severity

4.9MEDIUMNVD

EPSS

0.6%

top 29.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Asus BMC Firmware FOR Asmb8-ikvm Asus BMC Firmware FOR Z10pe-d16 WS Asus BMC Firmware FOR Z10pr-d16 +3 more

Timeline

PublishedApr 6

Latest updateMay 24

Description

The specific function in ASUS BMC’s firmware Web management page (Generate new SSL certificate) does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote attackers use the leakage to abnormally terminate the Web service.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:HExploitability: 1.2 | Impact: 3.6

Affected Packages6 packages

▶NVDasus/z10pr-d16_firmware1.14.51

▶NVDasus/asmb8-ikvm_firmware1.14.51

▶NVDasus/z10pe-d16_ws_firmware1.14.2

▶CVEListV5asus/bmc_firmware_for_z10pr-d161.14.51

▶CVEListV5asus/bmc_firmware_for_asmb8-ikvm1.14.51

🔴Vulnerability Details

GHSA

GHSA-q8v3-m5xx-vj46: The specific function in ASUS BMC’s firmware Web management page (Generate new SSL certificate) does not verify the string length entered by users, re↗2022-05-24

▶

CVEList

ASUS BMC's firmware: buffer overflow - Generate new SSL certificate↗2021-04-06

▶