Misfortune Cookie flaw exposes more than 12 million SOHO routers to the risk of a cyber attack

Pierluigi Paganini December 18, 2014

More than 12 million devices are vulnerable to a simple attack that could compromise their home routers exploiting a vulnerability called Misfortune Cookie.

More than  12 Million Home Routers are affected by a vulnerability called Misfortune Cookie that expose users to the risk of cyber attack. Researchers at Check Point Software Technologies reported the Misfortune Cookie flaw affects millions of devices running an embedded web server called RomPager, the vulnerability could be exploited by an attacker to run a man-in-the-middle attack on traffic going to and from home routers from every manufacturer.

It must be also considered that an attacker compromising a vulnerable device like a home router could remote target other devices on a local network, such as a smart TV or a printer.

“The implications of these risks mean more than just a privacy violation – they also set the stage for further attacks, such as installing malware on devices and making permanent configuration changes,” Check Point wrote in an analysis published today. “This WAN-to-LAN free-crossing is also bypassing any firewall or isolation functionality previously provided by your gateway and breaks common threat models. For example, an attacker can try to access your home webcam (potentially using default credentials) or extract data from your business NAS backup drive.”

According to the experts, several residential gateways (SOHO router) manufactured by D-Link, Huawei, TP-Link, ZTE, Zyxel and many others are currently exposed to takedown.

“It has been assigned the CVE-2014-9222 identifier. This severe vulnerability allows an attacker to remotely take over the device with administrative privileges. ” states the company.

Researchers at Check Point Software Technologies reported the Misfortune Cookie, flaw to vendors and manufacturers that produce the flawed devices.

Misfortune Cookie SOHO routers 2

Despite manufacturers and vendors announced an imminent release of a new firmware and software update, the fear of security experts is that the device owner will not install them leaving the devices exposed to the attacks.

The Misfortune Cookie vulnerability in the RomPager web server is exploitable by simply sending a malicious HTTP cookie to the target, causing the memory corruption on the device and allowing an attacker to remotely gain administrative access to it.

“We hope this is a game-changing wake-up call,” said Shahar Tal, malware and vulnerability research manager with Check Point. “Certainly in terms of numbers, I don’t remember a vulnerability released that had 12 million endpoints online since maybe Conficker in 2008. This is really, really bad and the incredibly slow update propagation chain makes it worse.”

Another disconcerting aspect of the story is that the code affected by the Misfortune Cookie vulnerability was written in 2002 and distributed to chipset makers bundled in a software development kit (SDK). The SDK was used by the principal manufacturers to develop the firmware for their SOHO devices.

“The vulnerable code is from 2002 and was actually fixed in 2005 [by AllegroSoft, makers of RomPager] and yet still did not make it into consumer devices,” Tal said. “It’s present in device firmware manufactured in 2014 that we downloaded last month. This is an industry problem; something is wrong.”

Experts at Check Point Software Technologies conducted Internet scans that revealed 12 million devices exposed online in 189 countries, in some of those countries more than 50% of the Internet users is exposed at risk.

“Even when people become aware of this, I don’t expect updated firmware to be deployed in 189 countries,” Tal said. “This will be with us for months and years to come.”

In time I’m writing security experts are not aware of any exploits of the Misfortune Cookie vulnerability, but it’s a question of time.

“This is very easy to exploit once you figure out the program internals,” Tal said. “We are assuming that some researchers will do that in upcoming days and we hope vendors react as fast as possible to get consumers protected.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  Misfortune Cookie, SOHO devices)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment