cancel
Showing results for 
Search instead for 
Did you mean: 

ASUS - where is your WiFi patch for KRACK security vulnerability?

BizzyB
Level 7
I have both an ASUS RT-AC3100 and an ASUS PCE-AC88. Let me preface this by saying I work in the IT Security industry. I understand the risk to my home network is low simply based on opportunity, time, and physical proximity, and that the major risk is public or enterprise networks. However, it's somewhat disconcerting to hear that many manufacturers have already patched, or have patches coming shortly, and not a peep out of ASUS. I love my networking equipment, but I do expect a commitment to security and a timely response to critical vulnerabilities, especially at the price premium paid. I've been unable to find anything anywhere on plans by ASUS to address this, so please point me in the right direction if I've missed it. I don't exactly expect an immediate patch, but I do expect some communication and timeframe for deployment.
1,363 Views
10 REPLIES 10

hawki
Level 7
self-deleted by hawki

MasterC
Community Admin
Community Admin
Hi BizzyB,

In case you still haven't come across our statement, this is where we're at:

ASUS is aware of the recent WPA2 vulnerability issue. We take security and your privacy seriously, so we are working towards a solution as quickly as possible. In the meantime, we want to help clarify the severity of the potential threat, and let our valued customers know the appropriate steps to take in order to avoid being compromised.

Your devices are only vulnerable if an attacker is in physical proximity to your wireless network. We are co-working with chipset vendors and will release patched firmware for affected routers soon. Before new firmware is released, here are a few ways to stay safe:
(1) Only visit HTTPS websites.
(2) Keep your operating system and antivirus software up-to-date.
(3) When in doubt, be safe and use your cellular network or a wired connection (Ethernet) to access the internet.
_____________________________________________________________
FPS, Racing, and VR Gamer / Tech Enthusiast / ROG Admin

Thank you for your response. As stated, I realized the risk to my home network is low, but it's still a critical vulnerability. I'm glad to hear you are addressing it and are working on firmware. Given that routers don't automatically update firmware, where should we be checking for updates on this issue so we know when to update?

MasterC
Community Admin
Community Admin
BizzyB wrote:
Thank you for your response. As stated, I realized the risk to my home network is low, but it's still a critical vulnerability. I'm glad to hear you are addressing it and are working on firmware. Given that routers don't automatically update firmware, where should we be checking for updates on this issue so we know when to update?


Hi BizzyB,

You can receive notifications for firmware updates from the ASUS Router App for your phone. I can also update everyone here when it is imminent or becomes available. Thanks!
_____________________________________________________________
FPS, Racing, and VR Gamer / Tech Enthusiast / ROG Admin

Is there an ETA for an update? Even a check for beta firmware still shows nothing new.

I noticed last week a new update for the RT-AC66U is available that includes the krack fix.
For the RT-AC66U the firmware version is 3.0.0.4.380_8120-ge60d6e4

- Release Note -

Security fixed
- Fixed KRACK vulnerability
- Fixed CVE-2017-14491: DNS - 2 byte heap based overflow
- Fixed CVE-2017-14492: DHCP - heap based overflow
- Fixed CVE-2017-14493: DHCP - stack based overflow
- Fixed CVE-2017-14494: DHCP - info leak
- Fixed CVE-2017-14495: DNS - OOM DoS
- Fixed CVE-2017-14496: DNS - DoS Integer underflow
- Fixed CVE-2017-13704 : Bug collision.
- Fixed predictable session tokens, logged user IP validation, Logged-in information disclosure. (special thanks for Blazej Adamczyk contribution)
- Fixed web GUI authorization vulnerabilities.
- Fixed AiCloud XSS vulnerabilities.

Still no update patch for Asus star router RT-AC88U. Disappointing. I have been checking every day.

marklang wrote:
Still no update patch for Asus star router RT-AC88U. Disappointing. I have been checking every day.


The ASUS RT-AC88U isn't vulnerable to Krack in the default router-mode configuration as ASUS didn't follow the entire WiFi standard when they designed that device (it appears to reject repeat keys - this is a good thing). Your device is currently believed to be safe in that mode. Read this page for ASUS own statement on it:

https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory

Click "10/31/2017 Update on security advisory for the vulnerability of WPA2 protocol" to see the list.

Seda wrote:
The ASUS RT-AC88U isn't vulnerable to Krack to begin with as ASUS didn't follow the entire WiFi standard when they designed that device (it appears to reject repeat keys - this is a good thing). Your device is currently believed to be safe.

https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory

Click "10/31/2017 Update on security advisory for the vulnerability of WPA2 protocol" to see the list.


Misleading as it's only the default configuration that they're not vulnerable.