Misfortune Cookie: The Hole in Your Internet Gateway

What is the Misfortune Cookie vulnerability?

Misfortune Cookie is a critical vulnerability that allows an intruder to remotely take over a residential gateway device and use it to attack the devices connected to it.

Researchers from Check Point’s Malware and Vulnerability Research Group recently uncovered this critical vulnerability present on millions of residential gateway (SOHO router) devices from different models and makers. It has been assigned the CVE-2014-9222 identifier. This severe vulnerability allows an attacker to remotely take over the device with administrative privileges.

How many devices are affected?
To date, researchers have distinctly detected at least 12 million readily exploitable devices connected to the Internet across the globe, making this one of the most widespread vulnerabilities revealed in recent years.

How does it affect me?
If your gateway device is vulnerable, then any device connected to it – including computers, phones, tablets, printers, security cameras, refrigerators, toasters or any other networked device in your home or office network – may have increased risk of compromise. An attacker exploiting the Misfortune Cookie vulnerability can easily monitor your Internet connection, steal your credentials and personal or business data, attempt to infect your machines with malware, and over-crisp your toast.

Is it that bad?

What makes Misfortune Cookie more dangerous than many other embedded device vulnerabilities?
Misfortune Cookie is unique due to a combination of multiple factors, including its severity, ease of exploitability, lacking of almost any preconditions, and the sheer volume of vulnerable devices. This should be considered a game-changing wake-up call for the embedded device industry and consumers alike, highlighting the importance of increased security and privacy for consumer and enterprise networks.

Why have you named it Misfortune Cookie?
The Misfortune Cookie vulnerability is due to an error within the HTTP cookie management mechanism present in the affected software, allowing an attacker to determine the ‘Fortune’ of a request by manipulating cookies. Attackers can send specially crafted HTTP cookies that exploit the vulnerability to corrupt memory and alter the application state. This, in effect, can trick the attacked device to treat the current session with administrative privileges – to the misfortune of the device owner.

Which models are affected? Am I affected?

Our research has detected at least 200 different models of devices of various manufacturers and brands currently exposing a vulnerable service on the public Internet address space. The majority of these devices are residential gateways.

The list includes models by D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL, among others. We suspect that the source for inclusion of the vulnerable piece of software is a common chipset SDK (distributed to the different manufacturers), however this cannot be confirmed at this point.

Prior to this publication and the expected firmware patches, we believe that devices containing RomPager services with versions before 4.34 (and specifically 4.07) are vulnerable. Note that some vendor firmware updates may patch RomPager to fix Misfortune Cookie without changing the displayed version number, invalidating this as an indicator of vulnerability.

What can I do to protect against the vulnerability?

For consumers and small businesses, Check Point recommends adding ZoneAlarm firewall to your PC to significantly enhance your protection from attack. All ZoneAlarm products include a two-way firewall and a proprietary OSFirewall™ that blocks malicious activity on your computer and is hardened with self-protection to prevent it from being disabled by malware. For a limited time through December 26, to help consumers protect their PC from attack, we’re offering ZoneAlarm PRO Firewall for only $9.95 (regularly $40) through this link.

Also, be smart about your privacy. Make sure your devices and any documents or folders containing sensitive information are password protected. Consider adding more privacy to your browsing by using HTTPS connections to encrypt all your browser activity.

I’m a more technical user. What else can I do to protect my system?

Watch for firmware updates from your device vendor addressing Misfortune Cookie, apply the update as it is released.

More technical users may flash alternative firmware to their device, replacing the vulnerable service (note this may void the warranty by your vendor). Another option would be configuring your current gateway as a bridge and using a second secure device as your Internet dialer/gateway.

Check Point IPS does block any attempt to exploit Misfortune Cookie if deployed over live relevant traffic. If you are a service provider in control of device fleets, please read our ‘Protecting your customers from the Misfortune Cookie vulnerability’ whitepaper. If you have a vulnerable device owned and managed by your service provider, you can contact your customer support with the request to fix.

Remember that your gateway’s security is another layer in your network security defenses – you should have endpoint protections in place, including firewalls, anti-virus software, and a freshly updated operating system.

Can I detect if I was compromised using Misfortune Cookie?
Typically you would not have logs or other traces of Misfortune Cookie exploitation. General warning signs may be the inability to log in to the web interface or the discovery of changed settings in your device.

Are any Check Point devices affected by Misfortune Cookie?

Can you further explain the technical risk?
An attacker with administrative access to your gateway holds an alarming control over your wired and/or wireless network (local area network, a.k.a. LAN) infrastructure, regardless of whether your gateway is in front of your home or your business. Such control puts devices at risk of Man-in-The-Middle attacks, greatly increases the attack surface for LAN-side vulnerabilities, and gives attackers the ability to directly monitor connections and identifiers belonging to your devices. The implications of these risks mean more than just a privacy violation – they also set the stage for further attacks, such as installing malware on devices and making permanent configuration changes. This WAN-to-LAN free-crossing is also bypassing any firewall or isolation functionality previously provided by your gateway and breaks common threat models. For example, an attacker can try to access your home webcam (potentially using default credentials, as we’ve recently seen in the news) or extract data from your business NAS backup drive.

Are you aware of attackers exploiting Misfortune Cookie?
Not yet, although we feel we can assume certain attackers have already discovered and exploited the vulnerability, remaining undetected for extensive periods of time.

What software component, specifically, is vulnerable?
The affected software is the embedded web server RomPager from AllegroSoft. Internet-wide scans suggest RomPager is likely the most popular web server software in the world with respect to number of available endpoints. RomPager is typically embedded in the firmware released with the device. This specific vulnerability was introduced to the code base in 2002.

Has it been fixed?
Technically, yes; but it’s complicated. AllegroSoft issued a fixed version to address the Misfortune Cookie vulnerability in 2005, which was provided to licensed manufacturers. The patch propagation cycle, however, is incredibly slow (sometimes
non-existent) with these types of devices. We can confirm many devices today still ship with the vulnerable version in place. We believe that is a serious problem that the industry needs to solve; secure automatic software updates should be offered for all modern devices, if not as a default setting.

What needs to happen for a patch to arrive at my device?
Generally, all vulnerable device makers need to obtain an updated version of RomPager or patch it manually, integrate the fixed version into their current firmware for all vulnerable lines and models, test that nothing was broken during the process, release the firmware version, which would then have to be installed on every vulnerable device in the world.
If your service provider uses TR-069, it may be much easier for them to install the firmware update in bulk.

That patching process sounds unlikely to happen any time soon.
We know. That’s why we consider this a serious problem.

Can’t you just use the vulnerability to patch it everywhere?
While theoretically that might be possible, performing such pervasive action on devices that are not in your possession would constitute a criminal charge in many countries, regardless of the well-intents of the originator.

Why is Check Point performing this type of research?

Wise men have said that in order to understand the adversary, you must become one. These efforts are a part of what makes Check Point a 21-year leader
in an ever-changing security landscape.

Check Point actively contributes to the security community by making independent research progress and working towards better public security awareness and education. We’ve been doing this for a while now, you may have noticed some of our recent work.

Additional resources: