CVE-2021-28196

CWE-120 — Classic Buffer Overflow5 documents4 sources

Severity

4.9MEDIUM

EPSS

0.6%

top 29.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Asus BMC Firmware FOR Asmb9-ikvm Asus BMC Firmware FOR E700 G4 Asus BMC Firmware FOR Esc4000 DHD G4 +85 more

Timeline

PublishedApr 6

Latest updateMay 24

Description

The specific function in ASUS BMC’s firmware Web management page (Generate SSL certificate function) does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote attackers use the leakage to abnormally terminate the Web service.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:HExploitability: 1.2 | Impact: 3.6

Affected Packages88 packages

▶NVDasus/e700_g4_firmware1.14.1

▶NVDasus/knpa-u16_firmware1.13.4

▶NVDasus/z11pa-d8_firmware1.14.1

▶NVDasus/z11pa-d8c_firmware1.14.1

▶NVDasus/z11pa-u12_firmware1.15.1

🔴Vulnerability Details

GHSA

GHSA-jvv6-hfxg-55hg: The specific function in ASUS BMC’s firmware Web management page (Generate SSL certificate function) does not verify the string length entered by user↗2022-05-24

▶

CVEList

ASUS BMC's firmware: buffer overflow - Generate SSL certificate function↗2021-04-06

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Applications Risk Matrix: NM Core (Kerberos) — CVE-2020-28196↗2021-07-15

▶

Oracle

Oracle Oracle MySQL Risk Matrix: Server: Security: Encryption (MIT Kerberos) — CVE-2020-28196↗2021-04-15

▶