CVE-2021-28196 Explained : Impact and Mitigation

This article delves into the details of CVE-2021-28196, a vulnerability in ASUS BMC firmware that could be exploited by remote attackers to terminate web services.

Understanding CVE-2021-28196

This section provides insight into the nature of the vulnerability and its potential impact.

What is CVE-2021-28196?

The specific function in ASUS BMC's firmware Web management page for generating SSL certificates fails to verify user-entered string lengths, leading to a buffer overflow vulnerability. Attackers could exploit this to gain privileged permissions and disrupt the web service.

The Impact of CVE-2021-28196

The vulnerability poses a medium threat with a CVSS base score of 4.9. With low attack complexity and network accessibility, it could result in high availability impact.

Technical Details of CVE-2021-28196

This section explores the technical aspects of the vulnerability in ASUS BMC firmware.

Vulnerability Description

The flaw arises from the lack of string length verification in the SSL certificate generation function, allowing attackers to execute a buffer overflow attack.

Affected Systems and Versions

Various ASUS BMC firmware versions are affected, such as 1.11.12, 1.10.3, 1.10.0, 1.09, and many others up to version 1.15.4.

Exploitation Mechanism

By manipulating string lengths during SSL certificate generation, attackers can trigger a buffer overflow, potentially gaining unauthorized access.

Mitigation and Prevention

Learn about the steps to mitigate the ASUS BMC firmware vulnerability in this section.

Immediate Steps to Take

Update affected BMC firmware to recommended versions like 1.15.6, 1.15.4, 1.15.3, and other secure releases provided by ASUS.

Long-Term Security Practices

In addition to patching, ensure regular firmware updates, security monitoring, and access control to prevent future vulnerabilities.

Patching and Updates

Frequently check for firmware updates and security advisories from ASUS to address and fix known vulnerabilities.