Security

Misfortune Cookie crumbles router security: '12 MILLION+' in hijack risk

New claim: Homes, businesses menaced by vulnerable firmware

Infosec biz Check Point claims it has discovered a critical software vulnerability that allows hackers to hijack home and small business broadband routers across the web.

The commandeered boxes could be used to launch attacks on PCs and gadgets within their local networks.

More than 12 million low-end SOHO routers worldwide are affected by the bug, dubbed Misfortune Cookie, we're told. At least 200 different models of devices from various manufacturers and brands are vulnerable, it's claimed, including kit from D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL.

Anything connected to the network – PCs, phones, tablets, printers, security cameras, refrigerators, or any other networked device – is at risk from attack within that LAN, if a vulnerable router is compromised.

An attacker exploiting the Misfortune Cookie flaw could monitor victims' web browsing, screw around with DNS, steal account passwords and sensitive data, infect other machines with malware, or control devices. According to Check Point:

Attackers can send specially crafted HTTP cookies [to the gateway] that exploit the vulnerability to corrupt memory and alter the application and system state. This, in effect, can trick the attacked device to treat the current session with administrative privileges - to the misfortune of the device owner.

The affected software, we're told, is the web server RomPager from AllegroSoft, which is typically embedded in the firmware in router and gateway devices. The HTTP server provides the web-based user-friendly interface for configuring the products.

To close the security hole, CVE-2014-9222, one must patch the device's firmware – assuming this is even possible and your manufacturer has released an update. AllegroSoft apparently fixed the bug in 2005, but the corrected code has yet to make it into routers in homes and offices. The programming blunder was introduced in 2002 when the biz distributed the software to manufacturers, it's claimed.

Even if the gateway is configured to not expose its builtin web server to the wider internet, many devices listen publicly on port 7547 to receive instructions from ISPs via the TR-069 or Customer Premises Equipment WAN Management Protocol – allowing hackers to send a malicious cookie from far away to that port and hit the vulnerable server software.

One workaround would be to make sure your gateway or router's web server is not open to the public on ports 80, 8080, 443, 7547, and possibly others. According to Check Point:

We believe that devices exposing RomPager services with versions before 4.34 (and specifically 4.07) are vulnerable. Note that some vendor firmware updates may patch RomPager to fix Misfortune Cookie without changing the displayed version number, invalidating this as an indicator of vulnerability.

“Misfortune Cookie is a serious vulnerability present in millions of homes and small businesses around the world, and if left undetected and unguarded, could allow hackers to not only steal personal data, but control peoples’ homes,” said Shahar Tal, malware and vulnerability research manager at Check Point.

More information about Misfortune Cookie, affected devices, and how consumers and businesses can protect themselves, can be found on the mis.fortunecook.ie website.

It's hoped hardware makers will come under pressure to patch their kit as word of the flaw spreads. Check Point has not revealed technical details of the bug in the interest of responsible disclosure.

A spokesman for Allegro could not be reached for comment at time of writing. ®

Sponsored: HPC and HPDA for the Cognitive Journey with OpenPOWER