Sign-up

ID

VAR-201910-0889


CVE

CVE-2019-18216


TITLE

ASUS ROG Zephyrus M GM501GS Laptop input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-011221

DESCRIPTION

The BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 relies on the main battery instead of using a CMOS battery, which reduces the value of a protection mechanism in which booting from a USB device is prohibited. Attackers who have physical laptop access can exhaust the main battery to reset the BIOS configuration, and then achieve direct access to the hard drive by booting a live USB OS without disassembling the laptop. NOTE: the vendor has apparently indicated that this is "normal" and use of the same battery for the BIOS and the overall system is a "new design." However, the vendor apparently plans to "improve" this an unspecified later time. ** Unsettled ** This case has not been confirmed as a vulnerability. ASUS ROG Zephyrus M GM501GS Laptops are vulnerable to input validation. The vendor has disputed this vulnerability. For details, see NVD of Current Description Please Confirm. https://nvd.nist.gov/vuln/detail/CVE-2019-18216Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state

Trust: 2.16

sources: NVD: CVE-2019-18216 // JVNDB: JVNDB-2019-011221 // CNVD: CNVD-2019-37734

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-37734

AFFECTED PRODUCTS

vendor:asusmodel:rog zephyrus m gm501gsscope:eqversion: -

Trust: 2.2

vendor:asustek computermodel:rog zephyrus m gm501gsscope: - version: -

Trust: 0.8

vendor:asusmodel:rog zephyrus m gm501gsscope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2019-37734 // JVNDB: JVNDB-2019-011221 // CNNVD: CNNVD-201910-1245 // NVD: CVE-2019-18216

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-18216
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-18216
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2019-37734
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201910-1245
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2019-18216
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-37734
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-18216
baseSeverity: MEDIUM
baseScore: 6.8
vectorString: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: PHYSICAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 0.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2019-18216
baseSeverity: MEDIUM
baseScore: 6.8
vectorString: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: PHYSICAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2019-37734 // JVNDB: JVNDB-2019-011221 // CNNVD: CNNVD-201910-1245 // NVD: CVE-2019-18216

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-20

Trust: 0.8

sources: JVNDB: JVNDB-2019-011221 // NVD: CVE-2019-18216

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201910-1245

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-011221

PATCH
title:ROG Zephyrus M (GM501)url:https://www.asus.com/jp/Laptops/ROG-Zephyrus-M-GM501/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2019-011221

EXTERNAL IDS
db:NVDid:CVE-2019-18216
Trust: 3.0
db:JVNDBid:JVNDB-2019-011221
Trust: 0.8
db:CNVDid:CNVD-2019-37734
Trust: 0.6
db:CNNVDid:CNNVD-201910-1245
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-37734 // 
            
            
            
            JVNDB: JVNDB-2019-011221 // 
            
            
            
            CNNVD: CNNVD-201910-1245 // 
            
            
            
            NVD: CVE-2019-18216

REFERENCES
url:https://blog.modpr0.be/2019/10/18/asus-rog-bios-reset-on-lost-battery-power/
Trust: 3.0
url:https://nvd.nist.gov/vuln/detail/cve-2019-18216
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-18216
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2019-37734 // 
            
            
            
            JVNDB: JVNDB-2019-011221 // 
            
            
            
            CNNVD: CNNVD-201910-1245 // 
            
            
            
            NVD: CVE-2019-18216

SOURCES
db:CNVDid:CNVD-2019-37734
db:JVNDBid:JVNDB-2019-011221
db:CNNVDid:CNNVD-201910-1245
db:NVDid:CVE-2019-18216

LAST UPDATE DATE
2024-11-23T22:37:37.407000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-37734date:2019-10-29T00:00:00
db:JVNDBid:JVNDB-2019-011221date:2019-10-30T00:00:00
db:CNNVDid:CNNVD-201910-1245date:2019-10-25T00:00:00
db:NVDid:CVE-2019-18216date:2024-11-21T04:32:51.133

SOURCES RELEASE DATE
db:CNVDid:CNVD-2019-37734date:2019-10-29T00:00:00
db:JVNDBid:JVNDB-2019-011221date:2019-10-30T00:00:00
db:CNNVDid:CNNVD-201910-1245date:2019-10-20T00:00:00
db:NVDid:CVE-2019-18216date:2019-10-20T16:15:10.263