CVE-2021-28203

ASUS BMC's firmware: command injection - Web Set Media Image function

CVSS 7.2 HIGHEPSS 2.0%CWE-78

In short

A flaw in ASUS BMC's web management interface allows an administrator to unintentionally execute arbitrary commands on the device through the Set Media Image function due to missing input validation.

Technical detail

The Web Set Media Image function in ASUS BMC firmware fails to sanitize user-supplied parameters, enabling command injection attacks. An authenticated attacker with administrator privileges can exploit this vulnerability to achieve remote code execution on the affected device.

Summary generated and translated by AI from the official description.

The Web Set Media Image function in ASUS BMC’s firmware Web management page does not filter the specific parameter. As obtaining the administrator permission, remote attackers can launch command injection to execute command arbitrary.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Affected products

ASUS · BMC firmware for ASMB8-iKVM ASUS · BMC firmware for Z10PE-D16 WS ASUS · BMC firmware for Z10PR-D16

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.asus.com/content/ASUS-Product-Security-Advisory/https://www.asus.com/tw/support/callus/https://www.twcert.org.tw/tw/cp-132-4573-aa336-1.html