CVE-2021-28202

CWE-120 — Classic Buffer Overflow3 documents3 sources

Severity

4.9MEDIUM

EPSS

0.9%

top 24.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Asus BMC Firmware FOR Asmb9-ikvm Asus BMC Firmware FOR E700 G4 Asus BMC Firmware FOR Esc4000 DHD G4 +85 more

Timeline

PublishedApr 6

Latest updateMay 24

Description

The Service configuration-2 function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote attackers use the leakage to abnormally terminate the Web service.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:HExploitability: 1.2 | Impact: 3.6

Affected Packages88 packages

▶NVDasus/e700_g4_firmware1.14.1

▶NVDasus/knpa-u16_firmware1.13.4

▶NVDasus/z11pa-d8_firmware1.14.1

▶NVDasus/z11pa-d8c_firmware1.14.1

▶NVDasus/z11pa-u12_firmware1.15.1

🔴Vulnerability Details

GHSA

GHSA-93gh-j29f-4h3w: The Service configuration-2 function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buf↗2022-05-24

▶

CVEList

ASUS BMC's firmware: buffer overflow - Service configuration-2 function↗2021-04-06

▶