[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CVE for ASUS

To: Kurt Seifried <kseifried@redhat.com>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: RE: CVE for ASUS
From: Common Vulnerabilities & Exposures <cve@mitre.org>
Date: Wed, 8 Jun 2016 03:14:22 +0000
Accept-language: en-US
Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=mitre.org;mitre.org; dkim=none (message not signed) header.d=none;
Delivery-date: Wed Jun 8 07:48:14 2016
In-reply-to: <CANO=Ty1DR56942zOr8ASQcfdbcbGz9vCNuOPskTGe3wXjYo=ZQ@mail.gmail.com>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <CANO=Ty1DR56942zOr8ASQcfdbcbGz9vCNuOPskTGe3wXjYo=ZQ@mail.gmail.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticoutput: 1:3
Thread-index: AQHRwB9J2EuYJxNFwUOHep+toF4BK5/e5g+Q
Thread-topic: CVE for ASUS

Kurt –

This issue actually has an ID, CVE-2016-3966.

The other public references are:

https://duo.com/assets/pdf/out-of-box-exploitation_oem-updaters.pdf

https://duo.com/blog/out-of-box-exploitation-a-security-analysis-of-oem-updaters

We expect that CVE-2016-3966 will be added to the CVE corpus in the near future.

Regards,

The CVE Team

From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Kurt Seifried
Sent: Monday, June 06, 2016 2:05 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: CVE for ASUS

Timely, ASUS ships a package that defaults to downloading HTTP content and then executing it in a highly trusted way (BIOS/UEFI and more).

http://teletext.zaibatsutel.net/post/145370716258/deadupdate-or-how-i-learned-to-stop-worrying-and

I worry that the business case of "download random stuff online and execute it" is becoming increasingly common (hardware vendors, npm, rubygems.org, pypi, containers, etc.) and we're going to see a lot more stuff like this.

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

References:
- CVE for ASUS
  - From: Kurt Seifried <kseifried@redhat.com>

Prev by Date: RE: definitions for what is CVE worthy with downloads/installs and containers
Next by Date: Re: definitions for what is CVE worthy with downloads/installs and containers
Previous by thread: CVE for ASUS
Next by thread: Concern over perception of CVE availability due to coverage document
Index(es):
- Date
- Thread