More than 12 million routers in homes and businesses around the world are vulnerable to a critical software bug that can be exploited by hackers to remotely monitor users' traffic and take administrative control over the devices, from a variety of different manufacturers.
The critical vulnerability actually resides in web server "RomPager" made by a company known as AllegroSoft, which is typically embedded into the firmware of router , modems and other "gateway devices" from about every leading manufacturer. The HTTP server provides the web-based user-friendly interface for configuring the products.
Researchers at the security software company Check Point have discovered that the RomPager versions prior to 4.34 — software more than 10 years old — are vulnerable to a critical bug, dubbed as Misfortune Cookie. The flaw named as Misfortune Cookie because it allows attackers to control the "fortune" of an HTTP request by manipulating cookies.
HOW MISFORTUNE COOKIE FLAW WORKS
The vulnerability, tracked as CVE-2014-9222 in the Common Vulnerabilities and Exposures database, can be exploited by sending a single specifically crafted request to the affected RomPager server that would corrupt the gateway device's memory, giving the hacker administrative control over it. Using which, the attacker can target any other device on that network.
"Attackers can send specially crafted HTTP cookies [to the gateway] that exploit the vulnerability to corrupt memory and alter the application and system state," said Shahar Tal, malware and vulnerability research manager with Check Point. "This, in effect, can trick the attacked device to treat the current session with administrative privileges - to the misfortune of the device owner.
Once attackers gain the control of the device, they could monitor victims' web browsing, read plaintext traffic traveling over the device, change sensitive DNS settings, steal account passwords and sensitive data, and monitor or control Webcams, computers, or other network connected devices.
MAJOR ROUTERS & GATEWAY BRANDS VULNERABLE
At least 200 different models of gateway devices, or small office/home office (SOHO) routers from various manufacturers and brands are vulnerable to Misfortune Cookie, including kit from D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL.
The bug not only affects routers, modems and other gateway devices, but anything connected to them from PCs, smartphones, tablets and printers to "smart home" devices such as toasters, refrigerators, security cameras and more. This simply means if a vulnerable router is compromised, all the networked device within that LAN is at risk.
WORSE ATTACK SCENARIO
Misfortune Cookie flaw can be exploited by any attacker sitting anywhere in the world even if the gateway devices are not configured to expose its built-in Web-based administration interface to the wider Internet, making the vulnerability more dangerous.
Because many routers and gateway devices are configured to listen for connection requests publicly on port 7547 as part of a remote management protocol called TR-069 or CWMP (Customer Premises Equipment WAN Management Protocol), allowing attackers to send a malicious cookie from far away to that port and hit the vulnerable server software.
12 MILLION DEVICES OPEN TO HIJACK
The critical vulnerability was introduced in 2002, and AllegroSoft apparently fixed the bug in its RomPager software back in 2005, but hardware from major companies such as Huawei, D-Link, ZTE and others currently sell products contains the vulnerable versions of RomPager. As demonstrated by Check Point's finding that 12 million vulnerable gateway devices in homes, offices and other locations still exist.
"We believe that devices exposing RomPager services with versions before 4.34 (and specifically 4.07) are vulnerable. Note that some vendor firmware updates may patch RomPager to fix Misfortune Cookie without changing the displayed version number, invalidating this as an indicator of vulnerability."
"Misfortune Cookie is a serious vulnerability present in millions of homes and small businesses around the world, and if left undetected and unguarded, could allow hackers to not only steal personal data, but control peoples' homes," Tal said.
So far, Check Point has not observed an attack involving Misfortune Cookie in the wild, but the company is having a close look on the older unresolved issues in which routers and gateway devices were compromised in different and unknown ways.