CVE-2021-28180

Description

The specific function in ASUS BMC’s firmware Web management page (Audit log configuration setting) does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote attackers use the leakage to abnormally terminate the Web service.

Related CPE's

oasusz10pr-d16_firmware1.14.51*******
vulnerable
hasusz10pr-d16-*******
oasusasmb8-ikvm_firmware1.14.51*******
vulnerable
hasusasmb8-ikvm-*******
oasusz10pe-d16_ws_firmware1.14.2*******
vulnerable
hasusz10pe-d16_ws-*******

References

N/A

Third Party Advisory

N/A

Vendor Advisory

N/A

Vendor Advisory

CvssV3 impact

BaseSeverity

MEDIUM

ConfidentialityImpact

NONE

AttackComplexity

LOW

Scope

UNCHANGED

AttackVector

NETWORK

AvailabilityImpact

HIGH

IntegrityImpact

NONE

PrivilegesRequired

HIGH

BaseScore

4.9

VectorString

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Version

3.1

UserInteraction

NONE

CvssV2 impact

AccessComplexity

LOW

ConfidentialityImpact

NONE

AvailabilityImpact

PARTIAL

IntegrityImpact

NONE

BaseScore

4

VectorString

AV:N/AC:L/Au:S/C:N/I:N/A:P

Version

2.0

AccessVector

NETWORK

Authentication

SINGLE