[ Date Prev ][ Date Next ][ Thread Prev ][ Thread Next ][ Date Index ][ Thread Index ]

RE: CVE for ASUS

To : Kurt Seifried < kseifried@redhat.com >, cve-editorial-board-list < cve-editorial-board-list@lists.mitre.org >
Subject : RE: CVE for ASUS
From : Common Vulnerabilities & Exposures < cve@mitre.org >
Date : Wed, 8 Jun 2016 03:14:22 +0000
Accept-language : en-US
Authentication-results : spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=mitre.org;mitre.org; dkim=none (message not signed) header.d=none;
Delivery-date : Wed Jun 8 07:48:14 2016
In-reply-to : <CANO=Ty1DR56942zOr8ASQcfdbcbGz9vCNuOPskTGe3wXjYo=ZQ@mail.gmail.com>
List-help : < mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST >
List-owner : < mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG >
List-subscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG >
List-unsubscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG >
References : <CANO=Ty1DR56942zOr8ASQcfdbcbGz9vCNuOPskTGe3wXjYo=ZQ@mail.gmail.com>
Sender : < owner-cve-editorial-board-list@lists.mitre.org >
Spamdiagnosticoutput : 1:3
Thread-index : AQHRwB9J2EuYJxNFwUOHep+toF4BK5/e5g+Q
Thread-topic : CVE for ASUS

Kurt –

This issue actually has an ID, CVE-2016-3966.

The other public references are:

https://duo.com/assets/pdf/out-of-box-exploitation_oem-updaters.pdf

https://duo.com/blog/out-of-box-exploitation-a-security-analysis-of-oem-updaters

We expect that CVE-2016-3966 will be added to the CVE corpus in the near future.

Regards,

The CVE Team

From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Kurt Seifried
Sent: Monday, June 06, 2016 2:05 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: CVE for ASUS

Timely, ASUS ships a package that defaults to downloading HTTP content and then executing it in a highly trusted way (BIOS/UEFI and more).

http://teletext.zaibatsutel.net/post/145370716258/deadupdate-or-how-i-learned-to-stop-worrying-and

I worry that the business case of "download random stuff online and execute it" is becoming increasingly common (hardware vendors, npm, rubygems.org , pypi, containers, etc.) and we're going to see a lot more stuff like this.

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

References :
- CVE for ASUS
  - From: Kurt Seifried <kseifried@redhat.com>

Prev by Date: RE: definitions for what is CVE worthy with downloads/installs and containers
Next by Date: Re: definitions for what is CVE worthy with downloads/installs and containers
Previous by thread: CVE for ASUS
Next by thread: Concern over perception of CVE availability due to coverage document
Index(es):
- Date
- Thread