Exposed IOCTL with Insufficient Access Control

CVE-2024-33221

High

7.8/10

Summary

An issue in the component AsusBSItf.sys of ASUSTeK Computer Inc ASUS BIOS Flash Driver v3.2.12.0 allows attackers to escalate privileges and execute arbitrary code via sending crafted IOCTL requests.

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-782 - Exposed IOCTL with Insufficient Access Control

The software implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL.

References

Advisory Timeline

Published May 22, 2024

Exposed IOCTL with Insufficient Access Control

CVE-2024-33221

Summary

CWE-782 - Exposed IOCTL with Insufficient Access Control

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS