Asus

ASUS Armoury Crate has a vulnerability in arbitrary file write and

CVE-2023-5716 9.8 - Critical - January 19, 2024

ASUS Armoury Crate has a vulnerability in arbitrary file write and allows remote attackers to access or modify arbitrary files by sending specific HTTP requests without permission.

ASUS SetupAsusServices v1.0.5.1 in Asus Armoury Crate v5.3.4.0 contains an unquoted service path vulnerability which

CVE-2023-26911 7.8 - High - July 26, 2023

ASUS SetupAsusServices v1.0.5.1 in Asus Armoury Crate v5.3.4.0 contains an unquoted service path vulnerability which allows local users to launch processes with elevated privileges.

Unquoted Search Path or Element

ASUS ASMB8 iKVM firmware through 1.14.51

CVE-2023-26602 9.8 - Critical - February 26, 2023

ASUS ASMB8 iKVM firmware through 1.14.51 allows remote attackers to execute arbitrary code by using SNMP to create extensions, as demonstrated by snmpset for NET-SNMP-EXTEND-MIB with /bin/sh for command execution.

Command Injection

ASUS EC Tool driver (aka d.sys) 1beb15c90dcf7a5234ed077833a0a3e900969b60be1d04fcebce0a9f8994bdbb, as signed by ASUS and shipped with multiple ASUS software products, contains multiple IOCTL handlers

CVE-2022-42455 7.8 - High - February 15, 2023

ASUS EC Tool driver (aka d.sys) 1beb15c90dcf7a5234ed077833a0a3e900969b60be1d04fcebce0a9f8994bdbb, as signed by ASUS and shipped with multiple ASUS software products, contains multiple IOCTL handlers that provide raw read and write access to port I/O and MSRs via unprivileged IOCTL calls. Local users can gain privileges.

The MsIo64.sys component in Asus Aura Sync through v1.07.79 does not properly validate input to IOCTL 0x80102040, 0x80102044, 0x80102050, and 0x80102054, allowing attackers to trigger a memory corruption

CVE-2022-44898 7.8 - High - December 14, 2022

The MsIo64.sys component in Asus Aura Sync through v1.07.79 does not properly validate input to IOCTL 0x80102040, 0x80102044, 0x80102050, and 0x80102054, allowing attackers to trigger a memory corruption and cause a Denial of Service (DoS) or escalate privileges via crafted IOCTL requests.

Memory Corruption

AsusSwitch.exe on ASUS personal computers (running Windows) sets weak file permissions, leading to local privilege escalation (this also

CVE-2022-36438 7.8 - High - October 18, 2022

AsusSwitch.exe on ASUS personal computers (running Windows) sets weak file permissions, leading to local privilege escalation (this also can be used to delete files within the system arbitrarily). This affects ASUS System Control Interface 3 before 3.1.5.0, and AsusSwitch.exe before 1.0.10.0.

Incorrect Default Permissions

AsusSoftwareManager.exe in ASUS System Control Interface on ASUS personal computers (running Windows)

CVE-2022-36439 6 - Medium - October 18, 2022

AsusSoftwareManager.exe in ASUS System Control Interface on ASUS personal computers (running Windows) allows a local user to write into the Temp directory and delete another more privileged file via SYSTEM privileges. This affects ASUS System Control Interface 3 before 3.1.5.0, AsusSoftwareManger.exe before 1.0.53.0, and AsusLiveUpdate.dll before 1.0.45.0.

Armoury Crate Services logging function has insufficient validation to check if the log file is a symbolic link

CVE-2022-38699 5.9 - Medium - September 28, 2022

Armoury Crate Services logging function has insufficient validation to check if the log file is a symbolic link. A physical attacker with general user privilege can modify the log file property to a symbolic link that points to arbitrary system file, causing the logging function to overwrite the system file and disrupt the system.

insecure temporary file

A memory corruption vulnerability exists in the httpd unescape functionality of Asuswrt prior to 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to 386.7

CVE-2022-26376 9.8 - Critical - August 05, 2022

A memory corruption vulnerability exists in the httpd unescape functionality of Asuswrt prior to 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to 386.7.. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.

Memory Corruption

ASUS Control Center API has a broken access control vulnerability

CVE-2022-26668 6.5 - Medium - June 20, 2022

ASUS Control Center API has a broken access control vulnerability. An unauthenticated remote attacker can call privileged API functions to perform partial system operations or cause partial disrupt of service.

AuthZ

ASUS Control Center is vulnerable to SQL injection

CVE-2022-26669 6.5 - Medium - June 20, 2022

ASUS Control Center is vulnerable to SQL injection. An authenticated remote attacker with general user privilege can inject SQL command to specific API parameters to acquire database schema or access data.

SQL Injection

ASUS WebStorage has a hardcoded API Token in the APP source code

CVE-2022-26672 9.8 - Critical - April 22, 2022

ASUS WebStorage has a hardcoded API Token in the APP source code. An unauthenticated remote attacker can use this token to establish connections with the server and carry out login attempts to general user accounts. A successful login to a general user account allows the attacker to access, modify or delete this user account information.

Use of Hard-coded Credentials

The System Diagnosis service of MyASUS before 3.1.2.0

CVE-2022-22814 9.8 - Critical - March 10, 2022

The System Diagnosis service of MyASUS before 3.1.2.0 allows privilege escalation.

ROG Live Services function for deleting temp files created by installation has an improper link resolution before file access vulnerability

CVE-2022-22262 7.7 - High - March 01, 2022

ROG Live Services function for deleting temp files created by installation has an improper link resolution before file access vulnerability. Since this function does not validate the path before deletion, an unauthenticated local attacker can create an unexpected symbolic link to system file path, to delete arbitrary system files and disrupt system service.

insecure temporary file

Invalid input sanitizing leads to reflected Cross Site Scripting (XSS) in ASUS RT-AC52U_B1 3.0.0.4.380.10931

CVE-2021-46109 6.1 - Medium - January 03, 2022

Invalid input sanitizing leads to reflected Cross Site Scripting (XSS) in ASUS RT-AC52U_B1 3.0.0.4.380.10931 can lead to a user session hijack.

XSS

ASUS ROG Armoury Crate Lite before 4.2.10

CVE-2021-40981 7.3 - High - September 27, 2021

ASUS ROG Armoury Crate Lite before 4.2.10 allows local users to gain privileges by placing a Trojan horse file in the publicly writable %PROGRAMDATA%\ASUS\GamingCenterLib directory.

DLL preloading

AsIO2_64.sys and AsIO2_32.sys in ASUS GPUTweak II before 2.3.0.3 allow low-privileged users to interact directly with physical memory (by calling one of several driver routines

CVE-2021-28685 7.8 - High - April 08, 2021

AsIO2_64.sys and AsIO2_32.sys in ASUS GPUTweak II before 2.3.0.3 allow low-privileged users to interact directly with physical memory (by calling one of several driver routines that map physical memory into the virtual address space of the calling process) and to interact with MSR registers. This could enable low-privileged users to achieve NT AUTHORITY\SYSTEM privileges via a DeviceIoControl.

AsIO2_64.sys and AsIO2_32.sys in ASUS GPUTweak II before 2.3.0.3 allow low-privileged users to trigger a stack-based buffer overflow

CVE-2021-28686 5.5 - Medium - April 08, 2021

AsIO2_64.sys and AsIO2_32.sys in ASUS GPUTweak II before 2.3.0.3 allow low-privileged users to trigger a stack-based buffer overflow. This could enable low-privileged users to achieve Denial of Service via a DeviceIoControl.

Memory Corruption

The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL

CVE-2020-12695 7.5 - High - June 08, 2020

The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.

Incorrect Default Permissions

Information disclosure in Asuswrt-Merlin firmware for ASUS devices older than 384.4 and ASUS firmware before 3.0.0.4.382.50470 for devices

CVE-2018-8878 5.3 - Medium - February 27, 2020

Information disclosure in Asuswrt-Merlin firmware for ASUS devices older than 384.4 and ASUS firmware before 3.0.0.4.382.50470 for devices allows remote attackers to acquire information on internal network devices' hostnames and MAC addresses by reading the custom_id variable on the blocking.asp page.

Information Disclosure

Information disclosure in Asuswrt-Merlin firmware for ASUS devices older than 384.4 and ASUS firmware before 3.0.0.4.382.50470 for devices

CVE-2018-8877 5.3 - Medium - February 27, 2020

Information disclosure in Asuswrt-Merlin firmware for ASUS devices older than 384.4 and ASUS firmware before 3.0.0.4.382.50470 for devices allows remote attackers to acquire information on internal network IP address ranges by reading the new_lan_ip variable on the error_page.htm page.

Information Disclosure

AsusPTPFilter.sys on Asus Precision TouchPad 11.0.0.25 hardware has a Pool Overflow associated with the \\

CVE-2019-10709 9.8 - Critical - September 04, 2019

AsusPTPFilter.sys on Asus Precision TouchPad 11.0.0.25 hardware has a Pool Overflow associated with the \\.\AsusTP device, leading to a DoS or potentially privilege escalation via a crafted DeviceIoControl call.

Permissions, Privileges, and Access Controls

A broken access control vulnerability in SmartHome app (Android versions up to 3.0.42_190515, ios versions up to 2.0.22) allows an attacker in the same local area network to list user accounts and control IoT devices

CVE-2019-11063 8.8 - High - August 29, 2019

A broken access control vulnerability in SmartHome app (Android versions up to 3.0.42_190515, ios versions up to 2.0.22) allows an attacker in the same local area network to list user accounts and control IoT devices that connect with its gateway (HG100) via http://[target]/smarthome/devicecontrol without any authentication. CVSS 3.0 base score 10 (Confidentiality, Integrity and Availability impacts). CVSS vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Missing Authentication for Critical Function

An issue was discovered in AsusWRT before 3.0.0.4.384_10007

CVE-2018-5999 9.8 - Critical - January 22, 2018

An issue was discovered in AsusWRT before 3.0.0.4.384_10007. In the handle_request function in router/httpd/httpd.c, processing of POST requests continues even if authentication fails.

An issue was discovered in AsusWRT before 3.0.0.4.384_10007

CVE-2018-6000 9.8 - Critical - January 22, 2018

An issue was discovered in AsusWRT before 3.0.0.4.384_10007. The do_vpnupload_post function in router/httpd/web.c in vpnupload.cgi provides functionality for setting NVRAM configuration values, which allows attackers to set the admin password and launch an SSH daemon (or enable infosvr command mode), and consequently obtain remote administrative access, via a crafted request. This is available to unauthenticated attackers in conjunction with CVE-2018-5999.

AuthZ