CVE-2021-28186 MEDIUM

CVE-2021-28186: ASUS BMC's firmware: buffer overflow - ActiveX configuration-2 acquisition

Vendor Asus
Product BMC firmware for Z10PR-D16
Weakness CWE-120
Published April 6, 2021
Last update September 16, 2024

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

The specific function in ASUS BMC’s firmware Web management page (ActiveX configuration-2 acquisition) does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote attackers use the leakage to abnormally terminate the Web service.

Key dates

02Disclosure timeline

April 6, 2021 CVE published
September 16, 2024 Record updated