[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CVE for ASUS



Kurt –

 

This issue actually has an ID, CVE-2016-3966.

 

The other public references are:

 

  https://duo.com/assets/pdf/out-of-box-exploitation_oem-updaters.pdf

  https://duo.com/blog/out-of-box-exploitation-a-security-analysis-of-oem-updaters

 

We expect that CVE-2016-3966 will be added to the CVE corpus in the near future.

 

Regards,

 

The CVE Team

 

From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Kurt Seifried
Sent: Monday, June 06, 2016 2:05 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: CVE for ASUS

 

Timely, ASUS ships a package that defaults to downloading HTTP content and then executing it in a highly trusted way (BIOS/UEFI and more). 

 

 

I worry that the business case of "download random stuff online and execute it" is becoming increasingly common (hardware vendors, npm, rubygems.org, pypi, containers, etc.) and we're going to see a lot more stuff like this.

 

 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
secalert@redhat.com


Page Last Updated or Reviewed: June 16, 2016