Page 2 of 12 FirstFirst 1 2 3 4 ... LastLast
Results 11 to 20 of 113
  1. #11
    New ROGer Array Lugusto PC Specs
    Lugusto PC Specs
    MotherboardASUS Z170I PRO GAMING
    ProcessorIntel Core i7-6700K
    Memory (part number)Corsair CMK32GX4M2B3000C15
    Graphics Card #1EVGA GeForce GTX 980 Ti
    Storage #1Samsung 960 EVO 250GB M.2 SSD
    Storage #2Seagate BarraCuda 4TB 3.5"
    CPU CoolerCorsair Hydro H80i GT
    CaseSilverStone Sugo SST-SG13B-Q
    Power SupplySilverStone SST-ST85F-GS
    OS Windows 10 Pro x64

    Join Date
    Oct 2017
    Reputation
    10
    Posts
    9

    Submitted to ASUS support

    I work in a security sensitive environment where we use solely HP equipment with discrete Infineon TPMs. HP have already released firmware updates for a vast range of their affected enterprise products.

    In my personal PC I use the discrete ASUS module "ASUS TPM R2.0" which uses one of the affected chips: https://www.amazon.co.uk/dp/B01CK5VY...740111_TE_item

    As was mentioned above, ASUS don't produce many discrete TPM offerings so it shouldn't be asking too much to request fixes for the devices we've invested in. I've posted a message to ASUS support linking this thread and I'll let you know what their line is.

    Regards

  2. #12
    ROG Guru: Yellow Belt Array unknownmiscreant PC Specs
    unknownmiscreant PC Specs
    Laptop (Model)Dell E430s (i7)
    MotherboardCrosshair VI Hero
    ProcessorRyzen 7 1700X
    Memory (part number)F4-3200C14D-16GFX (Currently clocked 3466MHz)
    Graphics Card #1EVGA GTX1070 FTW
    Sound CardAsus Strix Soar
    Monitor2x Dell U2412M
    Storage #1Intel 540s
    Storage #2Intel 520
    CPU CoolerEK Supremacy Evo
    CaseCorsair 460x
    Power SupplyEVGA 850 G2
    Keyboard Logitech G610 Cherry MX Brown
    Mouse Logitech G502
    Mouse Pad Logitech G640
    Headset/Speakers Custom built sound system
    OS Win 10
    Network RouterNetgear Nighthawk

    Join Date
    Jul 2017
    Reputation
    10
    Posts
    180

    Quote Originally Posted by Lugusto View Post
    I work in a security sensitive environment where we use solely HP equipment with discrete Infineon TPMs. HP have already released firmware updates for a vast range of their affected enterprise products.

    In my personal PC I use the discrete ASUS module "ASUS TPM R2.0" which uses one of the affected chips: https://www.amazon.co.uk/dp/B01CK5VY...740111_TE_item

    As was mentioned above, ASUS don't produce many discrete TPM offerings so it shouldn't be asking too much to request fixes for the devices we've invested in. I've posted a message to ASUS support linking this thread and I'll let you know what their line is.

    Regards
    Good luck with asus support. In my book they are pretty *** useless. I sent a very repeatable issue in to them with exact steps and incredibly detailed system specs over a month ago, was told it had been escalated to global support and have received nothing further since.

  3. #13
    New ROGer Array
    Join Date
    Oct 2017
    Reputation
    10
    Posts
    3

    Quote Originally Posted by Lugusto View Post
    I work in a security sensitive environment where we use solely HP equipment with discrete Infineon TPMs. HP have already released firmware updates for a vast range of their affected enterprise products.

    In my personal PC I use the discrete ASUS module "ASUS TPM R2.0" which uses one of the affected chips: https://www.amazon.co.uk/dp/B01CK5VY...740111_TE_item

    As was mentioned above, ASUS don't produce many discrete TPM offerings so it shouldn't be asking too much to request fixes for the devices we've invested in. I've posted a message to ASUS support linking this thread and I'll let you know what their line is.

    Regards
    Thanks, I'd appreciate hearing that as well.

  4. #14
    New ROGer Array Lugusto PC Specs
    Lugusto PC Specs
    MotherboardASUS Z170I PRO GAMING
    ProcessorIntel Core i7-6700K
    Memory (part number)Corsair CMK32GX4M2B3000C15
    Graphics Card #1EVGA GeForce GTX 980 Ti
    Storage #1Samsung 960 EVO 250GB M.2 SSD
    Storage #2Seagate BarraCuda 4TB 3.5"
    CPU CoolerCorsair Hydro H80i GT
    CaseSilverStone Sugo SST-SG13B-Q
    Power SupplySilverStone SST-ST85F-GS
    OS Windows 10 Pro x64

    Join Date
    Oct 2017
    Reputation
    10
    Posts
    9

    Reply from ASUS support

    Can't say I'm surprised, this is all I've got so far;

    "Thank you for the additional information. I have passed it along to HQ for investigation. It will be their decision to patch it in future updates so we can't say with certainty that it will be patched as it also depends on the TPM vendor, since it is a separately purchased TPM rather than embedded.

    At this time we can only suggest to keep an eye on the ASUS support website and forums for future updates."

    I've replied with;

    "Please can I have contact and case information for HQ so that I can contact them to request and update if neccesary.

    Also I would point out that this is an ASUS branded device and is listed as an official accessory on the ASUS UK website:

    https://uk.store.asus.com/asus-trust...passwords.html

    This means you should be providing support for it. It is a relatively specialised item so customers who've bought the device will be using it for a specific security sensitive application and will expect support for this sort of problem.

    If the vulnerability is allowed to remain the device is rendered completely useless in these applications, as its sole purpose is no longer fulfilled."

    Again, if I get further info I'll update the thread here.

  5. #15
    ROG Junior Member Array
    Join Date
    Oct 2017
    Reputation
    10
    Posts
    4

    Angry

    Quote Originally Posted by Lugusto View Post
    Can't say I'm surprised, this is all I've got so far;

    "Thank you for the additional information. I have passed it along to HQ for investigation. It will be their decision to patch it in future updates so we can't say with certainty that it will be patched as it also depends on the TPM vendor, since it is a separately purchased TPM rather than embedded. At this time we can only suggest to keep an eye on the ASUS support website and forums for future updates."
    So this is an incorrect opinion from consumer facing support. They really should not be expressing such misguided advice. Clearly they have no understanding of the regulatory environments in which their products are sold around the world, let alone customer needs or obligations that their company has to customers. They probably have this confused with a warranty issue, rather than obligations under trade practices, and common law.

    Nor do they demonstrate an understanding of; basic security practices, the point of providing patches to your customers, the obligation they have to already have information available to their clients on what is vulnerable, what is not, and what the workarounds are, whenever a major flaw (certainly any CVE) is made public.

    I raised the issue directly to support too. The support person that responded to me intimated that the MS patch was a fix rather than a workaround, and that they were waiting on another vendor for a patch. Strange as Infineon did exactly this, a long time back.

    We could not wait any longer for them though- it's been a week now with the exploit public. As we finished patching all the HP kit, I had to explain that to my team that Asus had not provided any advice, let alone patches. We finished removing every Asus host from production yesterday. That surely wasn't my finest moment! I should have bought IBM (or surely not, Lenovo)!

    The fact that the Infineon (not just HP, MS, etc.) distributed a fix to its partners long ago, shows some vendors do understand their obligations, or at least reputational impacts. Asus OTOH does nothing other than respond to a few individual customer queries privately tells all customers that they are having trouble supporting products they are bound to support, let alone products that are more than a year old.

    Strange, as I wouldn't consider Asus bad in the way they deliver firmware fixes for their motherboards normally. I'm sure of only one thing- I'll not buy Asus again! Sure they make a good, if not great, product, but it seems they are yet to figure out that supporting embedded logic is far less optional than ever. Worse when you consider this really never was optional! They need to check their product support efforts, before they they cause a major, reputation-shredding impact.
    Last edited by pl_02; 10-31-2017 at 05:22 AM.

  6. #16
    New ROGer Array Lugusto PC Specs
    Lugusto PC Specs
    MotherboardASUS Z170I PRO GAMING
    ProcessorIntel Core i7-6700K
    Memory (part number)Corsair CMK32GX4M2B3000C15
    Graphics Card #1EVGA GeForce GTX 980 Ti
    Storage #1Samsung 960 EVO 250GB M.2 SSD
    Storage #2Seagate BarraCuda 4TB 3.5"
    CPU CoolerCorsair Hydro H80i GT
    CaseSilverStone Sugo SST-SG13B-Q
    Power SupplySilverStone SST-ST85F-GS
    OS Windows 10 Pro x64

    Join Date
    Oct 2017
    Reputation
    10
    Posts
    9

    Can I please have that hour of my life back?

    I asked for contact information for 'HQ' so that I could track & chase the case for updates periodically:

    "I'm sorry however we cannot provide contact and case information for HQ"

    So, I asked how I would instead be updated once it was passed off to 'HQ', their reply:

    "You will not be updated personally. If or when there will be updates regarding this specific matter, it will be posted on the ASUS support page of the product"

    Then I asked where the support page was, as I couldn't find it:

    "There isn't a support page for the TPM module itself at this time. There will be one if or when HQ decides that one is required"

    Yea, so they're not going to patch it.

  7. #17
    ROG Guru: Yellow Belt Array unknownmiscreant PC Specs
    unknownmiscreant PC Specs
    Laptop (Model)Dell E430s (i7)
    MotherboardCrosshair VI Hero
    ProcessorRyzen 7 1700X
    Memory (part number)F4-3200C14D-16GFX (Currently clocked 3466MHz)
    Graphics Card #1EVGA GTX1070 FTW
    Sound CardAsus Strix Soar
    Monitor2x Dell U2412M
    Storage #1Intel 540s
    Storage #2Intel 520
    CPU CoolerEK Supremacy Evo
    CaseCorsair 460x
    Power SupplyEVGA 850 G2
    Keyboard Logitech G610 Cherry MX Brown
    Mouse Logitech G502
    Mouse Pad Logitech G640
    Headset/Speakers Custom built sound system
    OS Win 10
    Network RouterNetgear Nighthawk

    Join Date
    Jul 2017
    Reputation
    10
    Posts
    180

    Quote Originally Posted by Lugusto View Post
    I asked for contact information for 'HQ' so that I could track & chase the case for updates periodically:
    ~~SNIP~~

    Yea, so they're not going to patch it.
    Asus support are utterly pathetic. I have not dealt with such a useless ill informed support line that gives such scripted answers ever before. I'll hassle asus support about this too. The only way this might get fixed is if everyone writes to asus support about it. Then they might listen... I wonder if anyone at asus realizes that there are laws against this sort of thing in my country for precisely this reason.

  8. #18
    New ROGer Array
    Join Date
    Aug 2017
    Reputation
    10
    Posts
    10

    Also need firmware fix if Asus ir reading.

  9. #19
    ROG Guru: Yellow Belt Array unknownmiscreant PC Specs
    unknownmiscreant PC Specs
    Laptop (Model)Dell E430s (i7)
    MotherboardCrosshair VI Hero
    ProcessorRyzen 7 1700X
    Memory (part number)F4-3200C14D-16GFX (Currently clocked 3466MHz)
    Graphics Card #1EVGA GTX1070 FTW
    Sound CardAsus Strix Soar
    Monitor2x Dell U2412M
    Storage #1Intel 540s
    Storage #2Intel 520
    CPU CoolerEK Supremacy Evo
    CaseCorsair 460x
    Power SupplyEVGA 850 G2
    Keyboard Logitech G610 Cherry MX Brown
    Mouse Logitech G502
    Mouse Pad Logitech G640
    Headset/Speakers Custom built sound system
    OS Win 10
    Network RouterNetgear Nighthawk

    Join Date
    Jul 2017
    Reputation
    10
    Posts
    180

    Quote Originally Posted by Susliks View Post
    Also need firmware fix if Asus ir reading.
    Go make a support ticket. I doubt they will listen here.

  10. #20
    ROG Junior Member Array
    Join Date
    Oct 2017
    Reputation
    10
    Posts
    4

    They have to fix it

    Quote Originally Posted by Lugusto View Post
    I asked for contact information for 'HQ' so that I could track & chase the case for updates periodically:

    "I'm sorry however we cannot provide contact and case information for HQ"

    So, I asked how I would instead be updated once it was passed off to 'HQ', their reply:

    "You will not be updated personally. If or when there will be updates regarding this specific matter, it will be posted on the ASUS support page of the product"

    Then I asked where the support page was, as I couldn't find it:

    "There isn't a support page for the TPM module itself at this time. There will be one if or when HQ decides that one is required"

    Yea, so they're not going to patch it.
    No, it is just that the questions you are asking are above their pay-grade. And their manager's manager probably too.

    Just ask for updates against your ticket. It is all you can hope for.

    The chain of command does not work the same way in Taipei. The business is clearly not telling their development and support teams how products require pro-active support. Either that or someone missed the public release of this bug, and everyone is playing scared emu in the shifting desert of firmware support. It could be that they simply don't get that the supply-chain relies on consumer (let alone enterprise) support being provided for products sold into each market.

    As many would undertstand, brands are impacted by selling insecure products, or others which become insecure. The risks that all products face in the field is trending up, which in turn risks brand-value. As a result, vendors (not just Asus) need to be increasing their vigilance over these things, and increasing the level of support around security-related incidents. After all, CVEs as bad as this have even seen MS releasing updates for 15 year old products.

    That said, it looks as if this occurred because someone is is not providing the resources and directives necessary to ensure these products are adequately supported. Perhaps they are not serious enough about selling enterprise product to have a focus on crypto (though I don't see how this can be). However Asus is an old company by industry standards, and SSL and TLS are pretty much avoided in China as the bureaucracy involved in setting up a domain, let gaining a certificate from a CA is almost impossible. Globally, not just in Asia, many managements have trouble dealing with the risks around MiTM attacks, in China especially as so many think/assume the government can prevail by scaring everyone into not doing bad things.

    For now, it will be interesting to see if the fix, if there ever is one, introduces other vulnerabilities. They've certainly been caught out so far...
    Last edited by pl_02; 11-06-2017 at 04:37 AM.

Page 2 of 12 FirstFirst 1 2 3 4 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •