CVE-2021-28180

MEDIUM4.9Memory safety

Description

The specific function in ASUS BMC’s firmware Web management page (Audit log configuration setting) does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote attackers use the leakage to abnormally terminate the Web service.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected products

ASUS / BMC firmware for ASMB8-iKVM1.14.51 – 1.14.51
ASUS / BMC firmware for Z10PE-D16 WS1.14.2 – 1.14.2
ASUS / BMC firmware for Z10PR-D161.14.51 – 1.14.51

References

MISChttps://www.asus.com/content/ASUS-Product-Security-Advisory/
MISChttps://www.asus.com/tw/support/callus/
MISChttps://www.twcert.org.tw/tw/cp-132-4550-5ee8c-1.html