CVE-2021-28176 Explained : Impact and Mitigation

A Buffer Overflow vulnerability in ASUS BMC's firmware allows remote attackers to disrupt web services by exploiting the DNS configuration function.

Understanding CVE-2021-28176

This CVE involves a Buffer Overflow vulnerability in ASUS BMC's firmware due to inadequate string length verification in the DNS configuration function.

What is CVE-2021-28176?

The DNS configuration function in ASUS BMC’s firmware Web management page lacks proper string length validation, leading to a Buffer Overflow vulnerability. Attackers with privileged access can exploit this to disrupt web services.

The Impact of CVE-2021-28176

With a CVSS base score of 4.9, this Medium-severity vulnerability poses a high availability impact, allowing remote attackers to terminate web services without requiring user interaction.

Technical Details of CVE-2021-28176

This section provides detailed technical information about the vulnerability.

Vulnerability Description

The DNS configuration function in ASUS BMC’s firmware lacks adequate string length validation, enabling a Buffer Overflow vulnerability that can be exploited by remote attackers.

Affected Systems and Versions

BMC firmware for Z10PR-D16 version 1.14.51
BMC firmware for ASMB8-iKVM version 1.14.51
BMC firmware for Z10PE-D16 WS version 1.14.2

Exploitation Mechanism

Remote attackers with high privileges can abuse the Buffer Overflow vulnerability in ASUS BMC's firmware to disrupt web services.

Mitigation and Prevention

To safeguard against CVE-2021-28176, it is crucial to take immediate mitigative steps and implement long-term security practices.

Immediate Steps to Take

Update ASUS BMC's firmwares to the following versions:

Z10PR-D16 1.16.1
ASMB8-iKVM 1.16.1
Z10PE-D16 WS 1.16.1

Long-Term Security Practices

Establish comprehensive security protocols within your network infrastructure to prevent similar vulnerabilities in the future.

Patching and Updates

Regularly monitor and apply firmware updates to ensure system security.