CVE-2021-28203: ASUS BMC's firmware: command injection - Web Set Media Image function
First published: Tue Apr 06 2021(Updated: )
The Web Set Media Image function in ASUS BMC’s firmware Web management page does not filter the specific parameter. As obtaining the administrator permission, remote attackers can launch command injection to execute command arbitrary.
Credit: twcert@cert.org.tw
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Asus Z10pr-d16 Firmware | =1.14.51 | |
| Asus Z10pr-d16 | ||
| Asus Asmb8-ikvm Firmware | =1.14.51 | |
| Asus Asmb8-ikvm | ||
| Asus Z10pe-d16 Ws Firmware | =1.14.2 | |
| Asus Z10pe-d16 Ws |
Remedy
update BMC's firmwares to the following versions: Z10PR-D16 1.16.1 ASMB8-iKVM 1.16.1 Z10PE-D16 WS 1.16.1
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/nvd-index
- agent/weakness
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/severity
- agent/author
- agent/references
- agent/last-modified-date
- agent/remedy
- agent/description
- agent/first-publish-date
- agent/event
- agent/type
- agent/tags
- vendor/asus
- canonical/asus z10pr-d16 firmware
- version/asus z10pr-d16 firmware/1.14.51
- canonical/asus z10pr-d16
- canonical/asus asmb8-ikvm firmware
- version/asus asmb8-ikvm firmware/1.14.51
- canonical/asus asmb8-ikvm
- canonical/asus z10pe-d16 ws firmware
- version/asus z10pe-d16 ws firmware/1.14.2
- canonical/asus z10pe-d16 ws