CVE-2021-28204

ASUS BMC's firmware: command injection - Modify user’s information function

CVSS 7.2 HIGHEPSS 2.0%CWE-78

In short

A flaw in ASUS BMC's web management page allows an attacker with administrator access to inject and execute arbitrary commands through the user modification function by exploiting unfiltered parameters. This could give attackers full control over the system.

Technical detail

CWE-78 command injection vulnerability in ASUS BMC firmware's web management interface affects the user information modification endpoint. An authenticated attacker with administrator privileges can inject OS commands through insufficiently sanitized parameters, leading to arbitrary command execution with BMC-level privileges.

Summary generated and translated by AI from the official description.

The specific function in ASUS BMC’s firmware Web management page (Modify user’s information function) does not filter the specific parameter. As obtaining the administrator permission, remote attackers can launch command injection to execute command arbitrary.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Affected products

ASUS · BMC firmware for ASMB8-iKVM ASUS · BMC firmware for Z10PE-D16 WS ASUS · BMC firmware for Z10PR-D16

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.asus.com/content/ASUS-Product-Security-Advisory/https://www.asus.com/tw/support/callus/https://www.twcert.org.tw/tw/cp-132-4574-b61a6-1.html