ASUS Implements Security Updates for MyASUS, Armoury Crate, and Certain Routers

[btarunr]

ASUS recognizes recent reports from security researchers concerning potential software issues with MyASUS, Armoury Crate, DriverHub, and certain ASUS router models. All of these issues have been resolved. Users can see here for more information and to download the latest software version. As a member of FIRST, the world's largest cybersecurity incident response organization, and as a partner in the CVE CNA program, an international community-based cybersecurity effort, ASUS is deeply committed to providing the highest level of product experience to our users.



View at TechPowerUp Main Site

 

[ixi]

Hmm, where is "see here"?

 

[btarunr]

Hmm, where is "see here"?

Fixed, thanks.

 

[Aoyagi]

ASUS is deeply committed to providing the highest level of product experience to our users

I'll never understand how these empty statements are still a thing. Surely even the most brain-dead focus group will roll eyes or at best slightly chuckle at this.

 

[TheLostSwede]

The router updates came out in March for most of their routers, so just because some media picked up on this recently, doesn't mean that you've been using an unsecure router for months, at least if you update your firmware or have enabled the auto update feature.

 

[Chaitanya]

The router updates came out in March for most of their routers, so just because some media picked up on this recently, doesn't mean that you've been using an unsecure router for months, at least if you update your firmware or have enabled the auto update feature.

"Auto update" feature also is vulnerable to being attacked and not something to be trusted blindly. I have seen "auto update" for Java connecting to random servers in Germany to download "updates".

 

[Broken Processor]

The router updates came out in March for most of their routers, so just because some media picked up on this recently, doesn't mean that you've been using an unsecure router for months, at least if you update your firmware or have enabled the auto update feature.

I was surprised they didn't change the SHA keys, I just deleted them. I flash firmware manually anyway.

 

[A Computer Guy]

"Auto update" feature also is vulnerable to being attacked and not something to be trusted blindly.

I remember when the built-in security update got botched (I think it was Microtrend?) in Asus routers that crippled them even if you didn't have it enabled. It's why I don't use Asus anymore. It might have been a one off oopsie but it costed me at least a day of work loss and I had to go around my house re-flashing my Asus routers in my poor mans vlan twice before I figured out what was going wrong as it kept re-downloading the crippling update.

 

[TheLostSwede]

"Auto update" feature also is vulnerable to being attacked and not something to be trusted blindly. I have seen "auto update" for Java connecting to random servers in Germany to download "updates".

So which do you prefer, people that automagically get their routers updated with a very slight chance of there being a man in the middle attack or that people run the firmware their router shipped with and that router now being a part of a botnet without the owner knowing about it?

I remember when the built-in security update got botched (I think it was Microtrend?) in Asus routers that crippled them even if you didn't have it enabled. It's why I don't use Asus anymore. It might have been a one off oopsie but it costed me at least a day of work loss and I had to go around my house re-flashing my Asus routers in my poor mans vlan twice before I figured out what was going wrong as it kept re-downloading the crippling update.

TrendMicro. That was a separate update though, as that is not part of the firmware update feature.
It clearly didn't affect people that hadn't enable that feature, as I never had any issues with that, nor did anyone else that didn't have that feature enabled.

I agree that they should stop adding these type of features, as what is being sold as a security feature clearly doesn't deliver.

Also, if you haven't already discovered it, try Merlin's firmware for Asus routers.

 

[_roman_]

This needs to be told so people are aware of reality vs ASUS marketing.

Detail - you have been warned - biased - etc ... :

ASUS and security. Having no uefi updates but public known CVE and security issues on amd Chipsets for 3 or 4 weeks on the mainboard I used a month ago.
that does not fit.
I have no issues with ASUS marketing. But ASUS and security marketing is a bit fraudulent in my personal viewpoint with recent purchasable and still can be purchased asus products.

This needs to be told so people are aware of reality vs ASUS marketing. that armory crate will not matter as the uefi itself did not get any newer updates for at least 3 or 4 weeks. The uefi itself was insecure for any, ! any !, operating system out there on asus amd mainboard.

I talk about my "garbage" lying around ASUS Prime x670-p mainboard. (provided an example - may 2023 - may 2025)
see yourself how often an asus mainbaord get an uefi update. Sadly this does not show when.

AM5 AGESA/UEFI/BIOS List | SMU AM5/AM4 Table

docs.google.com

So which do you prefer, people that automagically get their routers updated with a very slight chance of there being a man in the middle attack or that people run the firmware their router shipped with and that router now being a part of a botnet without the owner knowing about it?

This is a politics and law problem

I suggest a heavy fine for the end user which has to be paid by the router owner instantly.
More friendly way - the internet service provider get heavy fine for each of those users connected to them when not removed in the next 5 minutes.
We have so much stuff done by the internet service provider, so this does not matter much.

there is no right for internet access. Should be handled the same as with illegal x, or illegal y or harmful z.

I think writing it in more details or going more specific will get me a message warning. Please accept it as it is without details or specifics.

 

[TheLostSwede]

@_roman_ actually, internet access is a human right in Finland.

But yes, ISPs should be a lot more proactive against botnets and cut those user off and inform them that their hardware is compromised.

 

[Jism]

Wireless routers should be really simple.

A host interface
Firmware

Nothing else. Fantastic that you can bloat yours routers with gimmick GUI's and functions but obviously at the cost or expensive of other things, security.

Any router i used to use i turn the things i don't need off. And i make sure the router does not see a daylight on the internet hooked, other then a pass through from something being firewalled in the first place.

Yes some routers are directly linked to the internet, with zero firewall, and that is the main cause of problems. Always put something in front of it that blocks 99.9% of incoming connections to begin with.

 

[Chaitanya]

This needs to be told so people are aware of reality vs ASUS marketing.

Detail - you have been warned - biased - etc ... :

ASUS and security. Having no uefi updates but public known CVE and security issues on amd Chipsets for 3 or 4 weeks on the mainboard I used a month ago.
that does not fit.
I have no issues with ASUS marketing. But ASUS and security marketing is a bit fraudulent in my personal viewpoint with recent purchasable and still can be purchased asus products.

This needs to be told so people are aware of reality vs ASUS marketing. that armory crate will not matter as the uefi itself did not get any newer updates for at least 3 or 4 weeks. The uefi itself was insecure for any, ! any !, operating system out there on asus amd mainboard.

I talk about my "garbage" lying around ASUS Prime x670-p mainboard. (provided an example - may 2023 - may 2025)
see yourself how often an asus mainbaord get an uefi update. Sadly this does not show when.

AM5 AGESA/UEFI/BIOS List | SMU AM5/AM4 Table

docs.google.com

Gamers Nexus recently posted a long video about all the vulnerabilities of Shitsus products and the radio silence from this side over the issues and "fixes" that they have "made".

So which do you prefer, people that automagically get their routers updated with a very slight chance of there being a man in the middle attack or that people run the firmware their router shipped with and that router now being a part of a botnet without the owner knowing about it?

This particular instance wasnt man in the middle attack rather a compromized auto updater pushed as part of Trust exploitation. Ultimately person sitting on the other end is the weakest link and as we have seen with this particular manufacturer who install rootkits/malware via firmware on its products cannot be trusted to perform auto updates reliably.

 

[Konomi]

I'll never understand how these empty statements are still a thing. Surely even the most brain-dead focus group will roll eyes or at best slightly chuckle at this.

Well, PR is the perfect job for anyone good at making up bullshit. Speaking of which, it reminds me of this wonderful site..

 

[TheLostSwede]

Gamers Nexus recently posted a long video about all the vulnerabilities of Shitsus products and the radio silence from this side over the issues and "fixes" that they have "made".

What is Asus supposed to say, when all of the issues they brought up in the video where already addressed?

I'm not trying to defend Asus here, but every tech company out there is affected by problems and Gamers Nexus was late on the ball here, which made it all a bit weird.

This particular instance wasnt man in the middle attack rather a compromized auto updater pushed as part of Trust exploitation. Ultimately person sitting on the other end is the weakest link and as we have seen with this particular manufacturer who install rootkits/malware via firmware on its products cannot be trusted to perform auto updates reliably.

Well, it seems like Asus needs a better system for pushing updates, but I would say 99% of people are better of having an auto firmware update on their router, than not.
In your honest opinion, how many percentage of consumers update their router firmware regularly (assuming there are available updates)?
If you read the text in Asus routers, you'll also see that they allegedly push out security fixes, regardless of if the auto firmware option is enabled or not, although I'm not quite sure how the can do this for older firmwares, but I don't have enough insight into how their firmware works. I just know it's not that easy to push out such an update on embedded Linux systems like routers, due to how the OS works. For those not aware, the router OS is stored as a compressed image which is extracted to RAM once you power the router on and doesn't run in flash, on most routers. This is also why it takes so long to save the settings, as they have to be written to the flash image, as if they were just "saved", they would be forgotten when the router was rebooted or lost power.

 

[Durhamranger]

Bios security aint much better from Half ass Asus....

 

[chrcoluk]

What is Asus supposed to say, when all of the issues they brought up in the video where already addressed?

I'm not trying to defend Asus here, but every tech company out there is affected by problems and Gamers Nexus was late on the ball here, which made it all a bit weird.


Well, it seems like Asus needs a better system for pushing updates, but I would say 99% of people are better of having an auto firmware update on their router, than not.
In your honest opinion, how many percentage of consumers update their router firmware regularly (assuming there are available updates)?
If you read the text in Asus routers, you'll also see that they allegedly push out security fixes, regardless of if the auto firmware option is enabled or not, although I'm not quite sure how the can do this for older firmwares, but I don't have enough insight into how their firmware works. I just know it's not that easy to push out such an update on embedded Linux systems like routers, due to how the OS works. For those not aware, the router OS is stored as a compressed image which is extracted to RAM once you power the router on and doesn't run in flash, on most routers. This is also why it takes so long to save the settings, as they have to be written to the flash image, as if they were just "saved", they would be forgotten when the router was rebooted or lost power.

To me properly addressing driverhub is dropping it as a product and also disabling the bios feature that allows silent installation of software as well, that would be a proper first step in recognising these are insecure ideas by nature. They need to disown these two things.

 

[Chaitanya]

Well, it seems like Asus needs a better system for pushing updates, but I would say 99% of people are better of having an auto firmware update on their router, than not.
In your honest opinion, how many percentage of consumers update their router firmware regularly (assuming there are available updates)?
If you read the text in Asus routers, you'll also see that they allegedly push out security fixes, regardless of if the auto firmware option is enabled or not, although I'm not quite sure how the can do this for older firmwares, but I don't have enough insight into how their firmware works. I just know it's not that easy to push out such an update on embedded Linux systems like routers, due to how the OS works. For those not aware, the router OS is stored as a compressed image which is extracted to RAM once you power the router on and doesn't run in flash, on most routers. This is also why it takes so long to save the settings, as they have to be written to the flash image, as if they were just "saved", they would be forgotten when the router was rebooted or lost power.

The way Shitsus has handled all the issues that have popped up with their routers and so called Ai Protection and Ai Cloud features which themselves now have come under scanner and silence about the rootkit/malware(driverhub, armory crate, etc...) pushing firmwares which continue to sell and not patched using Auto updates(in case of Shitsus) is something that should be done blindly by 100% of consumers of their products. Wont be surprised of old router wont get any updates and Shitsus is hoping they can shrug off their responsibility saying no one should be using old perfectly working hardware and throw it in bin while upgrading to newer more "secure" hardware.

To me properly addressing driverhub is dropping it as a product and also disabling the bios feature that allows silent installation of software as well, that would be a proper first step in recognising these are insecure ideas by nature. They need to disown these two things.

Its not just the driverhub, almost all of the features that Shitsus marketting uses from AiCloud, AiProtection, Live Update, Armory crate, Aura sync(now discontinued), etc... have CVEs listed against them. So unless they dont start culling their entire "software" division things wont change it seems.

https://www.cvedetails.com/product-list/product_type-/vendor_id-3447/firstchar-/page-1/Asus.html

CVE - Search Results

 

[TheLostSwede]

Wont be surprised of old router wont get any updates and Shitsus is hoping they can shrug off their responsibility saying no one should be using old perfectly working hardware and throw it in bin while upgrading to newer more "secure" hardware.

So what you're saying is that you're going to bash them without even knowing what has been addressed? Cool...
They actually released updates for a bunch of EOL products, so yeah, you're wrong, very wrong in this case. And yes, now I am defending Asus, as they realised that this was a serious issue and made sure to release updates for a lot of older models because of it.

 

[efikkan]

Wireless routers should be really simple.

A host interface
Firmware

Nothing else. Fantastic that you can bloat yours routers with gimmick GUI's and functions but obviously at the cost or expensive of other things, security.

Yes some routers are directly linked to the internet, with zero firewall, and that is the main cause of problems. Always put something in front of it that blocks 99.9% of incoming connections to begin with.

If it's set up as a router, it should block incoming connections, anything that isn't manually port forwarded or initiated behind the NAT. How many bugs and "backdoors" there may be is a different question though…

Gamers Nexus recently posted a long video about all the vulnerabilities of Shitsus products and the radio silence from this side over the issues and "fixes" that they have "made".

This particular instance wasnt man in the middle attack rather a compromized auto updater pushed as part of Trust exploitation. Ultimately person sitting on the other end is the weakest link and as we have seen with this particular manufacturer who install rootkits/malware via firmware on its products cannot be trusted to perform auto updates reliably.

I'm glad people are starting to wake up to this concern, but I'm afraid most of these concerns should be raised against all of them, not just Asus.

It's hard to find a router that doesn't have a known exploit. And for those who think it's so hard to make it secure; no it's not. 99.99% of such exploits are because of low quality implementations (often taking shortcuts) or "clever" service backdoors/default passwords/recovery keys etc. The amount of exploits that happen because of a weakness in the encryption algorithm is so rare that it barely registers.

I'm also glad people are starting to realize the massive exploitation potential in UEFI BIOSes. For those who don't know, it's not just a traditional BIOS, it is also a tiny kernel running underneath your OS which not only sucks resources, but also can directly access all hardware and therefore bypass any security built into the OS. (Many years ago I read through the (U)EFI specification and sample code, and it's some nasty stuff…) While I consider the risk of intentionally shipping malware from motherboard vendors as relatively low, we have to remember that practically all of them build BIOSes from modular software packages from third-parties. So there is a significant risk of them adding in software that isn't solid, or them creating "convenience features" which turns out to be another backdoor.

A lot of this also translates to routers, access points and other connected devices. Even for a "new" product, chances are that it's just a white label product from a third party with no in-house maintenance, and the software is probably a ~10 year old Linux or FreeBSD with 15 year old libraries…

The way Shitsus has handled all the issues that have popped up with their routers and so called Ai Protection and Ai Cloud features which themselves now have come under scanner and silence about the rootkit/malware(driverhub, armory crate, etc...)

Whenever you see vendors put the label "AI" on something like that, it's not a keyword indicating it's somehow intelligent, it's often a keyword for we're mining your data and sending it to China (or someone else).

 

[Chaitanya]

If it's set up as a router, it should block incoming connections, anything that isn't manually port forwarded or initiated behind the NAT. How many bugs and "backdoors" there may be is a different question though…


I'm glad people are starting to wake up to this concern, but I'm afraid most of these concerns should be raised against all of them, not just Asus.

It's hard to find a router that doesn't have a known exploit. And for those who think it's so hard to make it secure; no it's not. 99.99% of such exploits are because of low quality implementations (often taking shortcuts) or "clever" service backdoors/default passwords/recovery keys etc. The amount of exploits that happen because of a weakness in the encryption algorithm is so rare that it barely registers.

I'm also glad people are starting to realize the massive exploitation potential in UEFI BIOSes. For those who don't know, it's not just a traditional BIOS, it is also a tiny kernel running underneath your OS which not only sucks resources, but also can directly access all hardware and therefore bypass any security built into the OS. (Many years ago I read through the (U)EFI specification and sample code, and it's some nasty stuff…) While I consider the risk of intentionally shipping malware from motherboard vendors as relatively low, we have to remember that practically all of them build BIOSes from modular software packages from third-parties. So there is a significant risk of them adding in software that isn't solid, or them creating "convenience features" which turns out to be another backdoor.

A lot of this also translates to routers, access points and other connected devices. Even for a "new" product, chances are that it's just a white label product from a third party with no in-house maintenance, and the software is probably a ~10 year old Linux or FreeBSD with 15 year old libraries…


Whenever you see vendors put the label "AI" on something like that, it's not a keyword indicating it's somehow intelligent, it's often a keyword for we're mining your data and sending it to China (or someone else).

I remember TP Link and one more router manufacturer(I think it was netgear or D-Link but not sure) was also hit by similar vulnerability and they didnt provide any firmware updates, basically throwing a lot of their consumers on the kerb. Ultimately I have stopped purchasing any more routers from TP-Link. These days I have a entry level firewall(Sonicwall) that I use to sit between WAN and Wifi AP/PCs, not going to touch any consumer grade crap from TP-Link or Shitsus(they have a long history of being screwing consumers). Recently even Gigabyte was caught with their pants down when it comes to having UEFI vulnerabilities, Asrock is blowing AM5 CPUs and that leaves MSI(for now) among top tier board makers without known issues on their current gen boards.

"AI" marketing isnt new at all, I had Socket 754/939 boards that had AI marketting slapped all over the box and back then it was just some softwares bundled but now its something that connects silently to a remote server to mine users data for marketting purposes.