10-16-2017 05:37 AM - last edited on 03-05-2024 09:52 PM by ROGBot
10-16-2017 10:56 AM
darkguy2 wrote:
Called the tech support line and they had no idea what I was talking about.
10-16-2017 01:35 PM
xeromist wrote:
Not surprising given that the information came out yesterday, on the weekend. It wasn't supposed to come out until today so some vendors may be caught without a response. I don't know if ASUS was one of the vendors informed ahead of time to allow for a patch to be applied.
We sent out notifications to vendors whose products we tested ourselves around 14 July 2017. After communicating with these vendors, we realized how widespread the weaknesses we discovered are (only then did I truly convince myself it was indeed a protocol weaknesses and not a set of implementation bugs). At that point, we decided to let CERT/CC help with the disclosure of the vulnerabilities. In turn, CERT/CC sent out a broad notification to vendors on 28 August 2017.
10-16-2017 01:22 PM
10-16-2017 01:30 PM
10-16-2017 02:12 PM
10-16-2017 02:43 PM
xeromist wrote:
Yup, found the entry here:
https://www.kb.cert.org/vuls/id/CHEU-AQNMXY
All is not lost as there's still a chance that ASUS has been working on rolling out patches but didn't have the call-centers ready to respond. Still, I agree it would be good to at least see an acknowledgement that ASUS is working on patches or has already rolled some out.
The good news is that most individuals aren't important enough to be targeted. This will be used disproportionately against corporate and gov wifi connections.
Also note that it's not just ASUS routers. This also can and should be patched on client devices which means ASUS tablets and phones. Luckily laptops and G desktops running Windows were probably already patched by Microsoft.
10-16-2017 02:32 PM
10-16-2017 02:59 PM
Korth wrote:
And no need to advertise technical details to greasy devs who might want to maliciously exploit them, or worse, escalate severity of the problem by dumping kiddy hacks all over the internet.