CVE-2021-28177

EPSS 0.9%
Published 06.04.2021 05:15:14
Last modified 21.11.2024 05:59:15
Source twcert@cert.org.tw
Teams watchlist Login
Open Login

The LDAP configuration function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote attackers use the leakage to abnormally terminate the Web service.

Affected products Warnungen 0 Metrics 4 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Asus ≫ Z10pr-d16 Firmware Version1.14.51

Asus ≫ Z10pr-d16 Version-

Asus ≫ Asmb8-ikvm Firmware Version1.14.51

Asus ≫ Asmb8-ikvm Version-

Asus ≫ Z10pe-d16 Ws Firmware Version1.14.2

Asus ≫ Z10pe-d16 Ws Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.9%	0.734

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.9	1.2	3.6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:N/I:N/A:P
twcert@cert.org.tw	4.9	1.2	3.6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

https://www.asus.com/content/ASUS-Product-Security-Advisory/

Vendor Advisory

https://www.asus.com/tw/support/callus/

Vendor Advisory

https://www.twcert.org.tw/tw/cp-132-4547-88e43-1.html

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-28177

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-28177

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-28177

EUVD