CVE-2021-28178

EPSS 0.9%
Veröffentlicht 06.04.2021 05:15:14
Zuletzt bearbeitet 21.11.2024 05:59:16
Quelle twcert@cert.org.tw
Teams Watchlist Login
Unerledigt Login

The UEFI configuration function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote attackers use the leakage to abnormally terminate the Web service.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Asus ≫ Z10pr-d16 Firmware Version1.14.51

Asus ≫ Z10pr-d16 Version-

Asus ≫ Asmb8-ikvm Firmware Version1.14.51

Asus ≫ Asmb8-ikvm Version-

Asus ≫ Z10pe-d16 Ws Firmware Version1.14.2

Asus ≫ Z10pe-d16 Ws Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.9%	0.734

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.9	1.2	3.6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:N/I:N/A:P
twcert@cert.org.tw	4.9	1.2	3.6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

https://www.asus.com/content/ASUS-Product-Security-Advisory/

Vendor Advisory

https://www.asus.com/tw/support/callus/

Vendor Advisory

https://www.twcert.org.tw/tw/cp-132-4548-7a2c6-1.html

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-28178

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-28178

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-28178

EUVD