Home
 » ISP News » 
Sponsored

UPDATE3 Masses of Broadband Routers Hit by Misfortune Cookie Security Scare

Friday, December 19th, 2014 (10:44 am) - Score 5,783
security of broadband isp routers

Consumers and businesses across the world are today being warned that at least 200 different models of broadband router (residential gateway) devices, including some by big name manufacturers like D-Link, Edimax, Huawei, TP-Link, ZTE and ZyXEL, are exposed to a critical vulnerability called the “Misfortune Cookie” (CVE-2014-9222).

The problem, which was highlighted by researchers at Check Point’s Malware and Vulnerability Research Group, is caused by a serious vulnerability in a massively popular embedded web server (RomPager versions before 4.34 and specifically 4.07 from AllegroSoft) that is used by many router models from different manufacturers (the list of impacted devices is fairly extensive, but many more have yet to be checked).

The flaw essentially allows a remote attacker to take control of your router over the Internet, thus gaining access to your home or office network. At this point the attacker could perform all sorts of man-in-the-middle style attacks that might then be used to redirect your Internet traffic and or to steal your personal data. All very bad news and a special website has been setup to explain the problem in more detail.

Check Point Researchers said:

All an attacker needs in order to exploit Misfortune Cookie is to send a single packet to your public IP address. No hacking tools required, just a simple modern browser.

The Misfortune Cookie vulnerability is due to an error within the HTTP cookie [small files used by web browsers to store information] management mechanism present in the affected software, allowing an attacker to determine the ‘fortune’ of a request by manipulating cookies.

Attackers can send specially crafted HTTP cookies that exploit the vulnerability to corrupt memory and alter the application and system state. This, in effect, can trick the attacked device to treat the current session with administrative privileges – to the misfortune of the device owner.

This should be considered an alarming wake-up call for the embedded device industry and consumers alike, highlighting the importance of increased security and privacy for consumer and enterprise networks.”

At this point some people might think they’re safe because perhaps their router isn’t setup to expose its web-based admin interface to the Internet, but sadly you’d be wrong for thinking that. Indeed many routers, such as those bundled by broadband ISPs, are still setup to listen for connection requests on port 7547 as part of a remote management protocol called TR-069 or CWMP.

The above system is also what the ISPs use with their own Auto Configuration Servers (ACS) to automatically keep your router firmware up-to-date, but sadly the initial requests to this port are also processed by.. yes you guessed it, RomPager; although admittedly it’s not TR-069 itself that’s at fault.

At the time of writing we’re not yet sure precisely which ISPs and bundled routers in the United Kingdom might be vulnerable, although given the severity and ease of exploitability it’s probably best to assume that you might be exposed unless otherwise stated.

One additional problem is that some vendor firmware updates may patch RomPager to fix Misfortune Cookie without changing the displayed version number, which could make it extra difficult to know whether you’re protected or not (although most people wouldn’t have the knowledge or access to be able to find this information anyway).

Another interesting fact is that AllegroSoft actually issued a fixed version to address the Misfortune Cookie vulnerability in 2005, yet the notoriously slow patch propagation cycle means that many routers still ship today with the same flaw.

So, while we ask the ISPs for their feedback (expect an update later), what can you do about this? Firstly, if you don’t use a bundled ISP router, then check with your devices manufacturer to make sure that you’re on the latest firmware version for your kit (most updates are simply a matter of downloading a new file and uploading it via the routers web-based interface). It may also help to ensure that any sensitive private data on your computer is encrypted and that you’re running a good firewall.

UPDATE 2:14pm

So far Sky Broadband, BT, TalkTalk and Virgin Media have all confirmed that they’re checking their routers against the new vulnerability and have promised to report back with the results as soon as possible. We note that some of the routers do use chipsets supplied by connected manufacturers, although it’s not year clear whether any of the specific kit they use is vulnerable.

UPDATE 20th Dec 2014

BT has confirmed that their HomeHub routers are safe. A BT Spokesperson told ISPreview.co.uk: “After undertaking an extensive review we can confirm that BT Home Hub routers are not affected by this issue.”

UPDATE 23rd Dec 2014

Sky has informed ISPreview.co.uk that their broadband customers “should not be affected by this issue because our routers do not use Rom Pager web server technology“. Meanwhile TalkTalk are currently still checking with Huawei and DLink to see if some of their older routers are affected and Virgin Media has yet to come back to us.

Leave a Comment
5 Responses
  1. Avatar FibreFred

    Some big named routers on that list 😐

    So there’s no workaround then, it has to be patched by firmware…. don’t hold your breath

  2. Avatar Bob2002

    So can’t people just turn off TR-069(you can do this on the TalkTalk HG635 Super Router) until their provider has announced it’s actually rolling out a firmware upgrade?

  3. Avatar Gzero

    I thought this would happen sooner or later. Yes it’s a convenient idea to have the ISP be able to log in through a random open port that they know the authentication factor for, but not giving the customer the control to close that hole was a totally stupid idea (older thomson models do let you telnet in and manually close the port).

    Much prefer to login to the interface and manually check for firmware updates, that way I know I’m not forced onto a buggy firmware. Using an Asus ac56u with custom firmware now. Day and night in the difference of configuration options on both the official firmware and custom firmware compared to routers provided by ISP’s.

  4. Avatar No Clue

    Many (NOT ALL) of the specific models listed on that site are crappy Trendchip based devices or very old models that have had support killed off years ago. There is not from what i can see a single modern Broadcomm or Infineon device on that list. Most of them (if you want a new device which matches spec for spec) you could replace with a device for around £30. If you have had a router especially one which was only around £50 give or take for 5+ years like many on that list are then perhaps its time for an upgrade anyway.

  5. Avatar fox

    2 months passed and still no detailed technical information how to perform a penetration test. The exact cookie’s content is still unknown.
    It seems the whole “vulnerability” was only a fiction.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Hyperoptic £19.95 (*22.00)
    Avg. Speed 50Mbps, Unlimited
    Gift: Promo Code: HYPER20
  • NOW TV £22.00 (*40.00)
    Avg. Speed 36Mbps, Unlimited
    Gift: None
  • SSE £22.00
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • xln telecom £22.74 (*47.94)
    Avg. Speed 66Mbps, Unlimited
    Gift: None
  • Vodafone £22.95
    Avg. Speed 35Mbps, Unlimited
    Gift: None
Prices inc. Line Rental | View All
The Top 20 Category Tags
  1. BT (2689)
  2. FTTP (2526)
  3. FTTC (1738)
  4. Building Digital UK (1677)
  5. Politics (1571)
  6. Openreach (1537)
  7. Business (1352)
  8. FTTH (1272)
  9. Statistics (1186)
  10. Mobile Broadband (1153)
  11. Fibre Optic (1033)
  12. 4G (996)
  13. Wireless Internet (984)
  14. Ofcom Regulation (983)
  15. Virgin Media (959)
  16. EE (663)
  17. Sky Broadband (648)
  18. TalkTalk (631)
  19. Vodafone (622)
  20. 5G (456)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact