CVE-2021-28175 – ASUS BMC's firmware: buffer overflow - Radius configuration function
https://notcve.org/view.php?id=CVE-2021-28175
The Radius configuration function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote attackers use the leakage to abnormally terminate the Web service. La función de configuration de Radius en la página de administración Web del firmware de ASUS BMC, no verifica la longitud de la cadena introducida por usuarios, resultando en una vulnerabilidad de desbordamiento del búfer. Al obtener el permiso privilegiado, los atacantes remotos usan la filtración para finalizar anormalmente el servicio Web • https://www.asus.com/content/ASUS-Product-Security-Advisory https://www.asus.com/tw/support/callus https://www.twcert.org.tw/tw/cp-132-4543-98220-1.html • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVE-2021-26943
https://notcve.org/view.php?id=CVE-2021-26943
The UX360CA BIOS through 303 on ASUS laptops allow an attacker (with the ring 0 privilege) to overwrite nearly arbitrary physical memory locations, including SMRAM, and execute arbitrary code in the SMM (issue 3 of 3). El BIOS UX360CA versiones hasta 303 en las computadoras portátiles ASUS permite a un atacante (con el privilegio ring 0) sobrescribir ubicaciones de la memoria física casi arbitrarias, incluida la SMRAM, y ejecutar código arbitrario en la SMM (problema 3 de 3). • https://www.asus.com/support/FAQ/1045541 https://www.youtube.com/watch?v=1H3AfaVyeuk •
CVE-2021-27403
https://notcve.org/view.php?id=CVE-2021-27403
Askey RTF8115VW BR_SV_g11.11_RTF_TEF001_V6.54_V014 devices allow cgi-bin/te_acceso_router.cgi curWebPage XSS. Los dispositivos Askey versiones RTF8115VW BR_SV_g11.11_RTF_TEF001_V6.54_V014, permiten un ataque de tipo XSS de curWebPage del archivo cgi-bin/ te_acceso_router.cgi • https://github.com/bokanrb/CVE-2021-27403 https://github.com/bokanrb/XSS-Askey • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-27404
https://notcve.org/view.php?id=CVE-2021-27404
Askey RTF8115VW BR_SV_g11.11_RTF_TEF001_V6.54_V014 devices allow injection of a Host HTTP header. Los dispositivos Askey RTF8115VW BR_SV_g11.11_RTF_TEF001_V6.54_V014, permiten una inyección de un encabezado Host HTTP • https://github.com/bokanrb/CVE-2021-27404 https://github.com/bokanrb/HostHeaderInjection-Askey • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2021-3229
https://notcve.org/view.php?id=CVE-2021-3229
Denial of service in ASUSWRT ASUS RT-AX3000 firmware versions 3.0.0.4.384_10177 and earlier versions allows an attacker to disrupt the use of device setup services via continuous login error. Una denegación de servicio en ASUSWRT ASUS RT-AX3000 versiones de firmware 3.0.0.4.384_10177 y anteriores, permiten a un atacante interrumpir el uso de los servicios de configuración del dispositivo por medio de un error de inicio de sesión continuo • https://github.com/fullbbadda1208/CVE-2021-3229 https://dlcdnimgs.asus.com/websites/global/productcustomizedTab/562/ASUSWRT%20portal%20feature.pdf https://www.asus.com/us/ASUSWRT •