CVE for ASUS

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

CVE for ASUS

Kurt Seifried
Timely, ASUS ships a package that defaults to downloading HTTP content and then executing it in a highly trusted way (BIOS/UEFI and more). 


I worry that the business case of "download random stuff online and execute it" is becoming increasingly common (hardware vendors, npm, rubygems.org, pypi, containers, etc.) and we're going to see a lot more stuff like this.


--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: CVE for ASUS

Common Vulnerabilities & Exposures

Kurt –

 

This issue actually has an ID, CVE-2016-3966.

 

The other public references are:

 

  https://duo.com/assets/pdf/out-of-box-exploitation_oem-updaters.pdf

  https://duo.com/blog/out-of-box-exploitation-a-security-analysis-of-oem-updaters

 

We expect that CVE-2016-3966 will be added to the CVE corpus in the near future.

 

Regards,

 

The CVE Team

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Kurt Seifried
Sent: Monday, June 06, 2016 2:05 PM
To: cve-editorial-board-list <[hidden email]>
Subject: CVE for ASUS

 

Timely, ASUS ships a package that defaults to downloading HTTP content and then executing it in a highly trusted way (BIOS/UEFI and more). 

 

 

I worry that the business case of "download random stuff online and execute it" is becoming increasingly common (hardware vendors, npm, rubygems.org, pypi, containers, etc.) and we're going to see a lot more stuff like this.

 

 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
[hidden email]