Home
 » ISP News » 
Sponsored

UPDATE3 Masses of Broadband Routers Hit by Misfortune Cookie Security Scare

Friday, December 19th, 2014 (10:44 am) - Score 5,810

Consumers and businesses across the world are today being warned that at least 200 different models of broadband router (residential gateway) devices, including some by big name manufacturers like D-Link, Edimax, Huawei, TP-Link, ZTE and ZyXEL, are exposed to a critical vulnerability called the “Misfortune Cookie” (CVE-2014-9222).

The problem, which was highlighted by researchers at Check Point’s Malware and Vulnerability Research Group, is caused by a serious vulnerability in a massively popular embedded web server (RomPager versions before 4.34 and specifically 4.07 from AllegroSoft) that is used by many router models from different manufacturers (the list of impacted devices is fairly extensive, but many more have yet to be checked).

The flaw essentially allows a remote attacker to take control of your router over the Internet, thus gaining access to your home or office network. At this point the attacker could perform all sorts of man-in-the-middle style attacks that might then be used to redirect your Internet traffic and or to steal your personal data. All very bad news and a special website has been setup to explain the problem in more detail.

Check Point Researchers said:

All an attacker needs in order to exploit Misfortune Cookie is to send a single packet to your public IP address. No hacking tools required, just a simple modern browser.

The Misfortune Cookie vulnerability is due to an error within the HTTP cookie [small files used by web browsers to store information] management mechanism present in the affected software, allowing an attacker to determine the ‘fortune’ of a request by manipulating cookies.

Attackers can send specially crafted HTTP cookies that exploit the vulnerability to corrupt memory and alter the application and system state. This, in effect, can trick the attacked device to treat the current session with administrative privileges – to the misfortune of the device owner.

This should be considered an alarming wake-up call for the embedded device industry and consumers alike, highlighting the importance of increased security and privacy for consumer and enterprise networks.”

At this point some people might think they’re safe because perhaps their router isn’t setup to expose its web-based admin interface to the Internet, but sadly you’d be wrong for thinking that. Indeed many routers, such as those bundled by broadband ISPs, are still setup to listen for connection requests on port 7547 as part of a remote management protocol called TR-069 or CWMP.

The above system is also what the ISPs use with their own Auto Configuration Servers (ACS) to automatically keep your router firmware up-to-date, but sadly the initial requests to this port are also processed by.. yes you guessed it, RomPager; although admittedly it’s not TR-069 itself that’s at fault.

At the time of writing we’re not yet sure precisely which ISPs and bundled routers in the United Kingdom might be vulnerable, although given the severity and ease of exploitability it’s probably best to assume that you might be exposed unless otherwise stated.

One additional problem is that some vendor firmware updates may patch RomPager to fix Misfortune Cookie without changing the displayed version number, which could make it extra difficult to know whether you’re protected or not (although most people wouldn’t have the knowledge or access to be able to find this information anyway).

Another interesting fact is that AllegroSoft actually issued a fixed version to address the Misfortune Cookie vulnerability in 2005, yet the notoriously slow patch propagation cycle means that many routers still ship today with the same flaw.

So, while we ask the ISPs for their feedback (expect an update later), what can you do about this? Firstly, if you don’t use a bundled ISP router, then check with your devices manufacturer to make sure that you’re on the latest firmware version for your kit (most updates are simply a matter of downloading a new file and uploading it via the routers web-based interface). It may also help to ensure that any sensitive private data on your computer is encrypted and that you’re running a good firewall.

UPDATE 2:14pm

So far Sky Broadband, BT, TalkTalk and Virgin Media have all confirmed that they’re checking their routers against the new vulnerability and have promised to report back with the results as soon as possible. We note that some of the routers do use chipsets supplied by connected manufacturers, although it’s not year clear whether any of the specific kit they use is vulnerable.

UPDATE 20th Dec 2014

BT has confirmed that their HomeHub routers are safe. A BT Spokesperson told ISPreview.co.uk: “After undertaking an extensive review we can confirm that BT Home Hub routers are not affected by this issue.”

UPDATE 23rd Dec 2014

Sky has informed ISPreview.co.uk that their broadband customers “should not be affected by this issue because our routers do not use Rom Pager web server technology“. Meanwhile TalkTalk are currently still checking with Huawei and DLink to see if some of their older routers are affected and Virgin Media has yet to come back to us.

Leave a Comment
5 Responses

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Ultrafast ISPs
  • Gigaclear £17.00
    Speed: 200Mbps, Unlimited
    Gift: None
  • Community Fibre £17.99
    Speed: 150Mbps, Unlimited
    Gift: None
  • Virgin Media £24.00
    Speed: 108Mbps, Unlimited
    Gift: None
  • Vodafone £25.00
    Speed: 100Mbps, Unlimited
    Gift: None
  • Hyperoptic £25.00
    Speed: 158Mbps, Unlimited
    Gift: Promo code: BIGBANG
Large Availability | View All
New Forum Topics
»
ZTE MC801A Review
Author: dabigm
»
FTTP upgrade
Author: Wales85
»
Lebara
Author: dabigm
»
»
Testing: O2 - L09/L23 & N28/N78
Author: JitteryPinger
Cheapest Superfast ISPs
  • Hyperoptic £17.99
    Speed 33Mbps, Unlimited
    Gift: Promo code: BIGBANG
  • Shell Energy £20.99
    Speed 35Mbps, Unlimited
    Gift: None
  • NOW £22.00
    Speed 36Mbps, Unlimited
    Gift: None
  • Vodafone £22.00
    Speed 38Mbps, Unlimited
    Gift: None
  • Plusnet £22.99
    Speed 36Mbps, Unlimited
    Gift: £75 Reward Card
Large Availability | View All
The Top 20 Category Tags
  1. FTTP (4207)
  2. BT (3181)
  3. Politics (2149)
  4. Building Digital UK (2042)
  5. Openreach (1996)
  6. FTTC (1931)
  7. Business (1866)
  8. Mobile Broadband (1630)
  9. Statistics (1525)
  10. 4G (1398)
  11. FTTH (1372)
  12. Virgin Media (1301)
  13. Ofcom Regulation (1251)
  14. Fibre Optic (1246)
  15. Wireless Internet (1244)
  16. Vodafone (940)
  17. 5G (923)
  18. EE (920)
  19. TalkTalk (832)
  20. Sky Broadband (795)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact