ASUS Product Security Advisory

    ASUS Product Security Advisory

    We take every care to ensure that ASUS products are secure in order to protect the privacy of our valued customers. We constantly strive to improve our safeguards for security and personal information in accordance with all applicable laws and regulations, and we welcome all reports from our customers about product-related security or privacy issues. Any information you supply to ASUS will only be used to help resolve the security vulnerabilities or issues you have reported. This process may include contacting you for further relevant information.

    How to report a security vulnerability or issue to ASUS

    We welcome all reports about security-related issues incidents and privacy concerns, and we invite you to contact us about such matters via our dedicated email address at security@asus.com. In order for us to deal swiftly with your concerns, please include the following information in your email:

    1. Your full name, and a means of contacting you. This can be an email address, a phone number or any other preferred way we can use to get in touch with you. If you provide a phone number, please include the full country code, area code and extension number (if applicable).
    2. Full and detailed information about the issue you wish to report. This should include the following information, as applicable:
      1. The name of the ASUS service(s) or system(s) that your concern relates to.
      2. The product type, product name and model number of the affected hardware products.
      3. The name, description and version number of any affected ASUS software products.
      4. A full and detailed description of the problem or issue, along with any background information that you believe is relevant, and any other pertinent information that may help us reproduce and/or resolve the issue.

    Responsible reporting guidelines

    ASUS appreciates all contributions from customers and the wider ASUS community that help to improve the security of our products and services. However, we kindly request that you act responsibly and bear in mind the following when investigating or reporting any issues:

    1. Do not attempt to access or modify any ASUS services, systems, products or software without authorization.
    2. Do not disclose, or modify, destroy or misuse any data you may discover.
    3. All information given to or received from any party relating to the reported issues must remain completely confidential.

    What happens next?

    Once we have resolved the reported issue(s), we will provide a suitable solution to all affected customers. We will treat this with the utmost priority and make the solution available as soon as it practical to do so.

    ASUS will also maintain a list of the latest software updates, along with descriptions of the issues that have been fixed. Although we will notify customers wherever possible, we also recommend that customers visit this page regularly to make sure they are aware of the latest updates.

    Latest security updates

    08/07/2018 Latest software announcement for ZenFone/ZenPad devices

    ASUS is aware of the vulnerability listed below. We take your security seriously and are working diligently to provide a software update for the affected ZenFone/ZenPad models. Please update your ZenFone/ZenPad to the latest software version as soon as it becomes available. In the meantime, we highly recommended using ASUS Mobile Manager or installing another reliable third-party security app to further secure your devices.

    Possible vulnerability:
    • A malicious app can get a bug report.
    • A malicious app can take a screenshot (with a screenshot animation).
    • Arbitrary apps can be installed remotely over the internet and can also be uninstalled after being run.
    • Commands can be executed as the system user.

    The following are some security precautions recommended for all users:
    (1) Ensure your operating system and software up to date with the latest version, which you can find on the ASUS website (www.asus.com). Using the search tool located on the top right hand of the ASUS website, search for your device model, and then follow this path: Support > Driver & Utility > Driver & Tools > BIOS & Firmware. Here you can double check if the latest version is the same on your device or you can choose to download it in the event your device did not automatically update.
    (2) Do not download any apps outside of Google Play.
    (3) Uninstall all apps previously downloaded from non-Google Play sources.
    (4) Install ASUS Mobile Manager or a reliable third-party security app to strengthen the security of your devices and applications.

    06/08/2018 Security advisory for VPNFilter malware

    Talos Intelligence recently discovered that VPNFilter is targeting more makes and models than initial release, and the following ASUS routers may be potential targets:
    RT-AC66U
    RT-N10 (EOL)
    RT-N10E (EOL)
    RT-N10U (EOL)
    RT-N56U (EOL)
    RT-N66U

    To help owners of these routers take necessary precautions, we compiled a security checklist:
    (1) Reset the device to factory default: Hold the Reset button in the rear for at least five seconds until the power LED starts blinking.
    (2) Update all devices to the latest firmware.
    (3) Ensure default admin password had been changed to a more secure one.
    (4) Disable Remote Management (disabled by default, can only be enabled via Advanced Settings).
    (5) Enable the URL filter in the Advanced Settings -> Firewall. Set the Filter table type as Black List. Add the "photobucket" and "toknowall" in the URL filter list.

    For any users with the EOL models listed above, we strongly advise upgrading to a router with AiProtection. A wide selection of ASUS and ROG routers offer AiProtection powered by Trend Micro™. Anytime a threat is detected, the connection between your device and the malicious server is blocked before any personal data is compromised. The list of malicious servers is constantly updated by syncing with the Trend Micro cloud database automatically, to ensure your network environment is secure around the clock.

    04/03/2018 Security Vulnerability Notice (CVE-2018-5999, CVE-2018-6000) for ASUS routers

    Vulnerability: CVE-2018-5999, CVE-2018-6000

    ASUS and ROG router products affected are shown in a list below.

    This vulnerability bypasses any user/password changes made by the owner.
    Possible changes to router settings:

    • Port number changes
    • VPN account & password changes
    • DDNS changes
    • The UI language has changed

    Solution:
    Please immediately update your ASUS and ROG router to the latest firmware available.
    If a firmware update cannot be made the mitigations listed below should be applied, however it’s strongly advised the user updates the firmware at the earliest opportunity:

    • Disable SSH / Telnet
    • Disable VPN (available on limited models)
    • Enable AiProtection (available on limited models)
    • Change login ID & password again. The password should be at least 8 characters using a mix of letters, numbers and special symbols.

    Affected Products:
    Model Firmware (Minimum Recommended Version)
    BRT-AC828 3.0.0.4.380.7432
    GT-AC5300 3.0.0.4.384.20287
    RT-AC5300 3.0.0.4.384.20287
    RT-AC88U 3.0.0.4.384.10007
    RT-AC3100 3.0.0.4.384.10007
    RT-AC86U 3.0.0.4.384.10007
    RT-AC2900 3.0.0.4.384.10007
    RT-AC68 series 3.0.0.4.384.10007
    RT-AC1900 series 3.0.0.4.384.10007
    RT-AC66U_B1 3.0.0.4.384.10007
    RT-AC1750_B1 3.0.0.4.384.10007
    RT-AC87 series 3.0.0.4.382.50010
    RT-AC3200 3.0.0.4.382.50010
    RT-AC56U 3.0.0.4.382.50010
    RT-AC55U 3.0.0.4.382.50018
    RT-AC1200 3.0.0.4.380.10446
    RT-N18U 3.0.0.4.382.39935
    RT-AC51U+ 3.0.0.4.380.10446
    RT-AC52U_B1 3.0.0.4.380.10446
    Lyra 3.0.0.4.382.11572
    Lyra mini 3.0.0.4.382.11572
    RT-AC66U 3.0.0.4.380.8228
    RT-N66U 3.0.0.4.380.8228
    RT-N600 3.0.0.4.380.10446
    RT-AC1200GU 3.0.0.4.380.10446
    RT-AC1200G 3.0.0.4.382.50276
    RT-AC1200G+ 3.0.0.4.382.50276
    RT-AC53 3.0.0.4382.10446
    RT-AC750GF 3.0.0.4382.10446
    RT-AC53U 3.0.0.4.380.8228
    RT-N12_D1 3.0.0.4.380.8228
    RT-N12HP_B1 3.0.0.4.380.8228
    RT-AC56S 3.0.0.4.382.50624
    RT-N14U 3.0.0.4.380.8285
    RT-N14UHP 3.0.0.4.380.8287
    RT-AC54U 3.0.0.4.380.8228
    RT-ACRH17 3.0.0.4.382.50243
    RT-AC55UHP 3.0.0.4.382.50276
    RT-N300 3.0.0.4.380.8228
    RT-AC1200HP 3.0.0.4.380.8228
    RT-AC51U 3.0.0.4.380.8228
    RT-AC750 3.0.0.4.380.8228
    RT-AC52U 3.0.0.4.380.8241
    RT-AC58U 3.0.0.4.380.8228
    RT-ACRH13 3.0.0.4.380.8228
    RT-AC1300UHP 3.0.0.4.380.8228
    RT-N11P_B1 3.0.0.4.380.10410
    RT-N300_B1 3.0.0.4.380.10410
    RT-N12 VP_B1 3.0.0.4.380.10410
    RT-N12+ B1 3.0.0.4.380.10410
    RT-N12+ PRO 3.0.0.4.380.10410
    RT-N12E C1 3.0.0.4.380.10410


    12/30/2017 New firmware available for Wireless Router GT-AC5300/ RT-AC5300/ RT-AC88U/ RT-AC3100/ RT-AC87U/ RT-AC87R/ RT-AC3200/ RT-AC86U/ RT-AC68 series/ RT-AC55U/ RT-N18U/
    10/31/2017 Update on security advisory for the vulnerability of WPA2 protocol

    ASUS is working closely with chipset suppliers to resolve the vulnerability in the WPA2 security protocol, which affects some but not all ASUS products (check the list below). KRACK can exploit the vulnerability only under certain conditions highlighted in the previous update. Your network configuration is more secure when under these conditions:

    (1) Routers and gateways working in their default mode (Router Mode) and AP Mode.
    (2) Range extenders working in AP Mode.
    (3) When Powerline adapters and switch products are used.

    ASUS is working actively towards a solution, and will continue to post software updates. Find out more: https://www.asus.com/support/

    Full list of routers unaffected by KRACK while in default mode:
    GT-AC5300
    RT-AC1200
    RT-AC1200G
    RT-AC1200G Plus
    RT-AC1200HP
    RT-AC1300HP
    RT-AC1900
    RT-AC1900P
    RT-AC3100
    RT-AC3200
    RT-AC51U
    RT-AC52U
    RT-AC53
    RT-AC5300
    RT-AC53U
    RT-AC54U
    RT-AC55U
    RT-AC55UHP
    RT-AC56S
    RT-AC56U
    RT-AC58U
    RT-AC66U
    RT-AC66U B1
    RT-AC66W
    RT-AC68P
    RT-AC68UF
    RT-AC68W
    RT-AC86U
    RT-AC87U
    RT-AC88U
    RT-ACRH17
    RT-ACRH13
    RT-N10P V3
    RT-N11P B1
    RT-N12 D1
    RT-N12 VP B1
    RT-N12+
    RT-N12+ B1
    RT-N12E C1
    RT-N12E_B1
    RT-N12HP B1
    RT-N14U
    RT-N14UHP
    RT-N16
    RT-N18U
    RT-N300 B1
    RT-N56U
    RT-N56U B1
    RT-N65U
    RT-N66U
    RT-N66W
    BRT-AC828
    DSL-AC87VG
    DSL-AC52U
    DSL-AC55U
    DSL-AC56U
    DSL-AC68R
    DSL-AC68U
    DSL-N10_C1
    DSL-N12E_C1
    DSL-N12HP
    DSL-N12U
    DSL-N12U B1
    DSL-N12U D1
    DSL-N12U_C1
    DSL-N14U
    DSL-N14U B1
    DSL-N16
    DSL-N16U
    DSL-N17U
    DSL-N55U D1
    DSL-N55U_C1
    4G-AC68U
    RT-AC65U
    RT-AC85U

    10/18/2017 Security advisory for the vulnerabilities of WPA2 protocol

    ASUS is aware of the recent WPA2 vulnerability issue. We take your security and privacy seriously and are currently working towards a full solution as quickly as possible. In the meantime, we want to help clarify the severity of the potential threat, and let our valued customers know the appropriate steps to take in order to avoid or lessen the threat of being compromised.

    Your devices are only vulnerable if an attacker is in physical proximity to your wireless network and is able to gain access to it. This exploit cannot steal your banking information, passwords, or other data on a secured connection that utilizes proper end-to-end encryption. However, an attacker could capture and read this information on an unsecured connection via an exploited WiFi network. Depending on the network configuration, it is also possible for the attacker to redirect network traffic, send invalid data to devices or even inject malware into the network.

    We are feverishly working with chipset suppliers to resolve this vulnerability and will release patched firmware for affected routers in the near future. Before this patched firmware is released, here are a few cautions all users should take:

    (1) Avoid public Wi-Fi and Hotspots until the routers and your devices are updated. Use cellular network connections if possible.
    (2) Only connect to secured services that you trust or have been verified. Web pages that use HTTPS or another secure connection will include HTTPS in the URL. If the connection is secured using TLS 1.2 your activities with that service is safe for now.
    (3) Keep your operating system and antivirus software up-to-date. Microsoft recently updated Windows to fix this exploit on their latest operating systems. Google and Apple are following suit shortly.
    (4) When in doubt, be safe and use your cellular network or a wired connection (Ethernet) to access the internet. This exploit only affects 802.11 traffic between a Wi-Fi router and a connected device on an exploited WiFi connection.

    04/26/2017 New firmware available for Wireless Router RT-AC88U/ Wireless Router RT-AC66U B1
    04/24/2017 New firmware available for Wireless Router RT-AC5300/ Wireless Router RT-AC3100
    04/14/2017 New firmware available for Wireless Router RT-AC53
    03/31/2017 New firmware available for Wireless Router RT-AC87U/ RT-AC87R/ RT-AC3200/ RT-AC68U/ RT-AC68R/ RT-AC68W/ RT-AC68P/ RT-AC1900P/ RT-AC66U/ RT-AC66R/ RT-AC1750/ RT-AC56U/ RT-AC56R/ RT-N66U/ RT-N66R/ RT-N66W/ RT-AC53U/ RT-AC51U/ RT-AC750/ RT-N300/ RT-N11P/ RT-N12+/ RT-N12+ Pro/ RT-N12E B1/
    03/24/2017 New software available for Wireless Adapter PCE-AC56
    12/23/2016 New firmware available for Wireless Router RT-AC5300 / RT-AC88U / RT-AC3100 / RT-AC3200 / RT-AC87U / RT-AC87R / RT-AC66U / RT-AC66W / RT-AC1750 / RT-AC55UHP / RT-AC55U / RT-AC52U / RT-N56U / RT-N12 D1
    12/13/2016 New firmware available for Wireless Router RT-AC68U / RT-AC68R / RT-AC68W / RT-AC68UF / RT-AC68P / RT-AC1900P / RT-AC1900 / RT-AC66U_B1
    10/29/2016 New firmware available for Repeater RP-N12 / RP-N14 / RP-N53 / RP-AC52/ RP-AC56/ Media Bridge EA-N66/ EA-N66R

    10/17/2016 New ATK driver available for Notebook K53SV
    09/10/2016 New firmware available for Wireless Router RT-AC66U / RT-AC66R / RT-AC66W / RT-AC1750

    Hall of fame

    We would like to thank the following people have made responsible disclosures to us. They were very first reporters to notified qualifying vulnerabilities which consented to be fixed by ASUSTek Computer Inc. Thank you and congratulations for demonstrating your technical skill, security knowledge, and responsible behavior.

    2018 ∇
    July 2018:
    • Rick Ramgattie
    • Nishant Saurav
    • Mohammed Adel
    • Wai Yan Aung
    • Pethuraj M
    June 2018:
    • Lawrence Amer
    • Alban Cenaj
    • Wai Yan Aung
    May 2018:
    • Yeasir Arafat
    • Anil Tom
    • Sara Badran
    April 2018:
    • Yonghui Han of Fortinet's FortiGuard Labs
    • Dmitriy Alekseev
    • Fish Getachew
    • Nathu Nandwani
    • Nicodemo Gawronski & Ana Maria Popescu @amiutza
    • Diego Juarez from Core Security Technologies for Elevation of Privilege vulnerability in Asus Aura Sync.
    • Mohamed A. Baset of Seekurity.com SAS de C.V.
    March 2018:
    • Emad Abou Shanab
    • Konduru Jashwanth
    • Nikhil Srivastava
    • Dan Nino I. Fabro.
    • Kunal Bahl
    February 2018:
    • HaoTian Xiang
    • Niv Levi
    • Chris Wood
    • Vasim Shaikh (India)
    • Wen Bin Kong
    • Florian Kunushevci
    • Pritesh Mistry
    • Ismail Tasdelen
    January 2018:
    • Dipak Prajapati
    • Vasim Shaikh (India)
    • Akaash M. Sharma
    • Kushal Sharma
    • Adesh Nandkishor Kolte
    • Chirag Gupta
    • Osanda Malith Jayathissa (@OsandaMalith)
    • Chacko K Abraham
    • Suvadip Kar
    • Ankit Singh Nikhil Sahoo and Ipsita Subhadarshan Sahoo
    • Yassine Nafiai
    • Guy Arazi
    2017 ∇
    December 2017:
    • Blazej Adamczyk
    • Joaquim Espinhara
    • Beyond Security’s SecuriTeam Secure Disclosure program
    • David Maciejak of Fortinet's FortiGuard Labs
    November 2017:
    • Ketankumar Godhani
    • Ankit Singh
    • Junaid Farhan
    October 2017:
    • Daniel Diez
    • Sankalpa Nirmana
    • Vyshnav Vizz
    September 2017:
    • Samet Şahin
    • Ranjeet Jaiswal
    August 2017:
    • Yoko
    • Sreedeep Ck Alavil
    April 2017:
    • Cool Alfaiz
    • Manav Infosec
    • Mohammad Abdullah
    March 2017:
    • Cool Alfaiz
    January 2017:
    • CDL
    2016 ∇
    December 2016:
    • Kishan Kumar
    October 2016:
    • Yunus Yildirim
    • Muhammad Hammad
    • Chris
    September 2016:
    • Steave Afters
    • Jhack