The ASUS Dumpster Fire

Summary:

ASUS is facing scrutiny over multiple security vulnerabilities in its software and hardware, posing risks to users.

DriverHub Vulnerability: A zero-click remote code execution vulnerability allowed arbitrary malicious files to be downloaded and run with administrator privileges. Although patched, users are advised to uninstall.
MyASUS Vulnerability: Hardcoded administrator credentials in the software could expose the personal sensitive information of millions of users (including names, birthdays, phone numbers, and addresses).
Router Botnet: ASUS routers are actively targeted by the AyySSHush botnet, exploiting legitimate features for permanent remote access, with firmware updates unable to remove the backdoor.
Armoury Crate: This pre-installed software behaves like malware, and BIOS updates reset settings even when disabled. Its ASIO3 kernel driver also has privilege escalation vulnerabilities.

The video emphasizes that ASUS, as a large company, should not introduce additional security risks by forcing unnecessary software installations. Users are advised to promptly update or uninstall ASUS software and actively update router firmware.

ASUS Software's Serious Vulnerabilities [00:00]

ASUS's software and hardware have seen several significant vulnerabilities emerge in recent months. The simultaneous occurrence of these issues requires special attention if you use ASUS devices or software.

Multiple Security Risks
- ASUS Armoury Crate: Issues with this software were foreseen, but ASUS continues to promote it. It comes pre-installed on motherboards and can "survive" even after reformatting. It activates without an internet connection and behaves like malware, harboring deep-seated vulnerabilities.
- RMA System: This system may expose millions of customer records due to hardcoded administrator credentials within.
- Routers: ASUS routers are actively being attacked, potentially for building botnets.
Recommendations and Purpose
- Update or Uninstall Software: Users are advised to uninstall unnecessary ASUS software or, at a minimum, update to the latest version.
- Update Router Firmware: If you own an ASUS router, ensure its firmware is up to date.
- Opposition to Motherboard-Level Bloatware: The video calls for resisting the forced installation of malware-like bloatware on motherboards by ASUS and other manufacturers. These programs have limited functionality but pose significant security risks.

Affected ASUS Products and Vulnerability Types [04:15]

The video details the four main vulnerability attack vectors currently being discussed, including both patched and actively exploited vulnerabilities.

Affected Software and Hardware
- ASUS DriverHub
- MyASUS
- ASUS Armoury Crate
- ASUS Routers (actively being exploited, possibly for building botnets or honeypots)

ASUS DriverHub Vulnerability [06:00]

This vulnerability was discovered by independent security researcher Paul (aka "Mr. Bruh") and has been fixed.

Discoverer and Vulnerability Description
- Paul reported a "zero-click RCE (Remote Code Execution) vulnerability" found in ASUS DriverHub software via email in April 2025.
- DriverHub is a background process software without a graphical interface. It communicates with the driverhub.asus.com website to check for and install driver updates.
- Key Vulnerability Point: In its local service, DriverHub only checks if the URL "contains" driverhub.asus.com instead of "equaling" that domain. This allows attackers to inject malicious code through specific subdomains.
Exploit Chain
- Paul found that by manipulating a URL containing driverhub.asus.com, he could access six DriverHub functions: initialization, device information, restart, logs, install application, and update application.
- "Update Application" Function: Allows any file to be downloaded and permanently stored. ASUS-signed executables automatically run with administrator privileges.
- Complete Exploit Chain:
  1. A user visits a malicious website (e.g., driverhub.asus.com.malware.com).
  2. The first "Update Application" request downloads malware.exe.
  3. The second "Update Application" request downloads a custom AsusSetup.ini file containing SilentInstallRun=malware.exe.
  4. The third "Update Application" request downloads and runs the legitimate AsusSetup.exe with administrator privileges, which in turn runs malware.exe with administrator privileges.
Impact and Fix
- Paul believes it was unlikely this vulnerability was actively exploited before his report.
- As of May 9, 2025, a fix for DriverHub has been deployed. Users are advised to uninstall the software, as manually managing drivers is generally safer and less concerning.
ASUS's Attitude Toward Researchers
- Paul states that ASUS lacks incentives for penetration testers, typically only providing a thank-you email and an uncontextualized acknowledgment at the bottom of the security bulletin page. This approach seems insufficient.

ASUSpiciously Stupid Vulnerability (RMA System) [12:36]

Despite not receiving substantial rewards for the DriverHub issue, Paul continued to delve into other ASUS problems, this time involving ASUS's RMA (Return Merchandise Authorization) system and user account information.

Vulnerability Discovery and Impact
- Paul found files in the MyASUS software containing hardcoded credentials with "administrator-level unlimited permissions" that could be abused to access information from any ASUS account.
- This information includes users' full names, dates of birth, phone numbers, and full addresses.
- While ASUS accounts may only require the sensitive birthday field by default, many users unknowingly filled in other sensitive information (like phone numbers/addresses).
Fix and Follow-Up
- According to Paul's report, the issue was fixed on May 12, 2025.
- Notably, ASUS's email system repeatedly marked and blocked Paul's vulnerability proof-of-concept code submissions as spam.
- ASUS even asked Paul to test their fixes and preview his blog posts before publishing, without offering any compensation, which the video creators criticized as "not cool."
- Gamers Nexus coordinated with Paul, providing expired RMA numbers and serial numbers for him to probe the system, but Paul said he needed more up-to-date case data.

AyySSHush Router Botnet [17:59]

This issue is different from ASUS's bloatware theme, but its impact is the most far-reaching and ongoing.

Ongoing Threat
- On May 28, 2025, security and data science company GreyNoise published a report titled "AyySSHush: The Technicals of an Emerging ASUS Botnet."
- The report indicates that continuous attacks targeting ASUS routers are being observed, combining old and new attack methods, possibly laying the groundwork for future botnets.
- Attackers exploit vulnerabilities to access and enable legitimate functions on ASUS routers, such as enabling SSH access on a custom port (TCP/53282) and inserting an attacker-controlled public key for permanent remote access.
- Key Point: The backdoor is stored in non-volatile memory (NVRAM), meaning firmware upgrades or restarts cannot remove it.
- No actual malware is installed, and router logging is disabled to evade detection.
- These techniques reflect long-term planning and a high level of system knowledge.
- Ironically, some vulnerabilities exist within ASUS's AI Protection features.
Affected Scope and Prevention
- Censys released a live tracker for monitoring ASUS routers with open port 53282, a typical sign of exploitation. The United States and other regions have many such devices.
- The number of affected devices fluctuates, possibly due to increased public awareness or changes in attacker strategies.
- The attackers' goals and identity remain unknown, but there is overlap with the broader "ViciousTrap" exploitation activity, indicating a potential botnet risk.
- Recommendation: At a minimum, ASUS router firmware should be updated. For already compromised routers, firmware patches cannot fix the issue; prevention relies on proactively updating firmware before an attack occurs.
- ASUS offers some basic health checks and advises performing a factory reset on suspicious devices, but its effectiveness is unclear.

Armoury Crate Vulnerabilities [20:31]

Armoury Crate has long plagued users, behaving like malware itself.

The Core Problems of Armoury Crate
- The software has "self-propagating" characteristics and exists at the motherboard level.
- There is a switch in the BIOS to disable its automatic installation, which users should turn off. However, even when disabled, future BIOS updates reset this setting.
- Worse, Windows sometimes pulls firmware updates for the motherboard during Windows Update, which also resets the Armoury Crate BIOS switch, reactivating it.
- Therefore, even without being actively exploited, Armoury Crate's behavior is akin to malware.
ASIO3 Kernel Driver Vulnerabilities
- The latest entries on ASUS's product security advisory page show two vulnerabilities in the Armoury Crate application, both attributed to Marcin Icewall Noga of Cisco Talos.
- These vulnerabilities are related to the ASIO3 kernel driver. Armoury Crate involves low-level hardware access (such as RGB control), making it potentially exploitable.
- First Vulnerability (CVE-2025-2150): Is a "stack overflow" vulnerability triggered by constructing a specific I/O Request Packet (IRP). This is a common mistake developers make when assuming the maximum Windows path length is 255 characters.
- Second Vulnerability: Involves an authorization bypass vulnerability in the ASIO3 kernel driver. Normally, only the legitimate Asusertservice.exe can access the driver.
  - Icewall used Windows' hardlink feature to make the hash of any executable match Asusertservice.exe, bypassing authorization and exploiting other vulnerabilities in the ASIO3 driver.
  - By bypassing authorization, any user can obtain a device handle, enabling key functions like physical memory address mapping, I/O port communication, and MSR register read/write.
- Proof of Concept: Icewall released a video demonstrating how to run an elevated console.
File Handling Vulnerability: Another patched Armoury Crate vulnerability (CVE-2024-12957) allowed arbitrary file deletion.
Fix Status: These specific issues were fixed on May 12, 2025.

ASUS Brought This Upon Themselves [24:54]

All hardware and software vendors can have vulnerabilities; ASUS is not unique. However, ASUS's problem is its insistence on pursuing certain behaviors, creating unnecessary risks for itself.

Universality and Specificity
- While vulnerabilities are widespread in the industry, ASUS is unique in its "eagerness to continue pursuing certain types of additional risks," especially regarding its bloatware and motherboard-level forced installations like Armoury Crate.
- ASUS, as a giant multinational corporation and one of the largest suppliers in areas like DIY motherboards, has ample resources. It could invest the money saved on warranty claims into building security systems to protect user data.
ASUS's Responsibility
- ASUS forces or sneakily installs unnecessary software (like Armoury Crate, DriverHub) onto user systems, and there are also issues with MyASUS, AI Protection, and routers.
- This software often leaves backdoors or unknown security vulnerabilities without users' knowledge or if they forget to disable them.
- Worse, these vulnerabilities can be nested together, forming more serious attack chains.
- The records and information of millions of customers may be at risk of exploitation, compounding existing vulnerabilities.
- The video concludes that some of ASUS's practices are creating unnecessary additional security risks.