CVE-2021-28178 : Security Advisory and Response

This article provides detailed information about CVE-2021-28178, a vulnerability in ASUS BMC's firmware that leads to a buffer overflow in the UEFI configuration function.

Understanding CVE-2021-28178

CVE-2021-28178 is a vulnerability in ASUS BMC's firmware that allows remote attackers to exploit a buffer overflow in the UEFI configuration function.

What is CVE-2021-28178?

The UEFI configuration function in ASUS BMC's firmware Web management page does not verify user-entered string lengths, leading to a buffer overflow vulnerability. Attackers with privileged permission can use this to disrupt the Web service.

The Impact of CVE-2021-28178

With a CVSS base score of 4.9 (Medium severity), this vulnerability could allow remote attackers to attain high availability impact, affecting certain versions of BMC firmware for ASUS products.

Technical Details of CVE-2021-28178

This section delves into the specifics of the vulnerability.

Vulnerability Description

The vulnerability arises from the lack of string length verification in the UEFI configuration function of ASUS BMC's firmware, enabling a buffer overflow exploit.

Affected Systems and Versions

ASUS products such as BMC firmware for Z10PR-D16, ASMB8-iKVM, and Z10PE-D16 WS are impacted by versions 1.14.51 and 1.14.2.

Exploitation Mechanism

Remote attackers leverage the buffer overflow vulnerability to disrupt the Web service after obtaining privileged access.

Mitigation and Prevention

Discover the steps to mitigate the impact and prevent further exploitation.

Immediate Steps to Take

Update affected ASUS BMC firmware to secure versions: Z10PR-D16 1.16.1, ASMB8-iKVM 1.16.1, and Z10PE-D16 WS 1.16.1.

Long-Term Security Practices

Maintain updated firmware versions and follow secure configuration practices to reduce the risk of similar vulnerabilities.

Patching and Updates

Regularly check for firmware updates and apply patches promptly to eliminate security vulnerabilities.