UPDATE3 Masses of Broadband Routers Hit by Misfortune Cookie Security Scare

Consumers and businesses across the world are today being warned that at least 200 different models of broadband router (residential gateway) devices, including some by big name manufacturers like D-Link, Edimax, Huawei, TP-Link, ZTE and ZyXEL, are exposed to a critical vulnerability called the “Misfortune Cookie” (CVE-2014-9222).

The problem, which was highlighted by researchers at Check Point’s Malware and Vulnerability Research Group, is caused by a serious vulnerability in a massively popular embedded web server (RomPager versions before 4.34 and specifically 4.07 from AllegroSoft) that is used by many router models from different manufacturers (the list of impacted devices is fairly extensive, but many more have yet to be checked).

The flaw essentially allows a remote attacker to take control of your router over the Internet, thus gaining access to your home or office network. At this point the attacker could perform all sorts of man-in-the-middle style attacks that might then be used to redirect your Internet traffic and or to steal your personal data. All very bad news and a special website has been setup to explain the problem in more detail.

Check Point Researchers said:

“All an attacker needs in order to exploit Misfortune Cookie is to send a single packet to your public IP address. No hacking tools required, just a simple modern browser.

The Misfortune Cookie vulnerability is due to an error within the HTTP cookie [small files used by web browsers to store information] management mechanism present in the affected software, allowing an attacker to determine the ‘fortune’ of a request by manipulating cookies.

Attackers can send specially crafted HTTP cookies that exploit the vulnerability to corrupt memory and alter the application and system state. This, in effect, can trick the attacked device to treat the current session with administrative privileges – to the misfortune of the device owner.

This should be considered an alarming wake-up call for the embedded device industry and consumers alike, highlighting the importance of increased security and privacy for consumer and enterprise networks.”

At this point some people might think they’re safe because perhaps their router isn’t setup to expose its web-based admin interface to the Internet, but sadly you’d be wrong for thinking that. Indeed many routers, such as those bundled by broadband ISPs, are still setup to listen for connection requests on port 7547 as part of a remote management protocol called TR-069 or CWMP.

The above system is also what the ISPs use with their own Auto Configuration Servers (ACS) to automatically keep your router firmware up-to-date, but sadly the initial requests to this port are also processed by.. yes you guessed it, RomPager; although admittedly it’s not TR-069 itself that’s at fault.

At the time of writing we’re not yet sure precisely which ISPs and bundled routers in the United Kingdom might be vulnerable, although given the severity and ease of exploitability it’s probably best to assume that you might be exposed unless otherwise stated.

One additional problem is that some vendor firmware updates may patch RomPager to fix Misfortune Cookie without changing the displayed version number, which could make it extra difficult to know whether you’re protected or not (although most people wouldn’t have the knowledge or access to be able to find this information anyway).

Another interesting fact is that AllegroSoft actually issued a fixed version to address the Misfortune Cookie vulnerability in 2005, yet the notoriously slow patch propagation cycle means that many routers still ship today with the same flaw.

So, while we ask the ISPs for their feedback (expect an update later), what can you do about this? Firstly, if you don’t use a bundled ISP router, then check with your devices manufacturer to make sure that you’re on the latest firmware version for your kit (most updates are simply a matter of downloading a new file and uploading it via the routers web-based interface). It may also help to ensure that any sensitive private data on your computer is encrypted and that you’re running a good firewall.

UPDATE 2:14pm

So far Sky Broadband, BT, TalkTalk and Virgin Media have all confirmed that they’re checking their routers against the new vulnerability and have promised to report back with the results as soon as possible. We note that some of the routers do use chipsets supplied by connected manufacturers, although it’s not year clear whether any of the specific kit they use is vulnerable.

UPDATE 20th Dec 2014

BT has confirmed that their HomeHub routers are safe. A BT Spokesperson told ISPreview.co.uk: “After undertaking an extensive review we can confirm that BT Home Hub routers are not affected by this issue.”

UPDATE 23rd Dec 2014

Sky has informed ISPreview.co.uk that their broadband customers “should not be affected by this issue because our routers do not use Rom Pager web server technology“. Meanwhile TalkTalk are currently still checking with Huawei and DLink to see if some of their older routers are affected and Virgin Media has yet to come back to us.