Vulnerability Management

Critical ‘Misfortune Cookie’ bug puts millions of internet-connected routers at risk

Security company Check Point has identified a critical vulnerability that can be exploited to compromise at least 200 different models of residential gateway devices, or small office/home office (SOHO) routers, from a variety of different manufacturers.

Researchers with Check Point have detected roughly 12 million unique devices in 189 countries that are internet-connected and readily exploitable, according to a FAQ posted on Thursday, which names products by D-Link, Edimax, Huawei, TP-Link, ZTE and ZyXEL as being at risk.

Exploiting the vulnerability is simple, and can enable an attacker to gain complete administrative access to the device, Shahar Tal, malware and vulnerability research manager with Check Point Software Technology, told in a Thursday email correspondence.

That kind of control allows for a variety of threats, including man-in-the-middle attacks, Tal said. Ultimately, attackers can steal credentials and personal and business data, as well as infect machines with malware.

“We can say that the final exploit fits within a single packet that attackers can send today to a vulnerable device over the public Internet,” Tal said. “No further steps are needed. At that point, an attacker owns administrator access to the device. There is no need for any specific hacker tools other than a regular web browser.”

Check Point is referring to the vulnerability – CVE-2014-9222 – as ‘Misfortune Cookie' because it exists due to an error within the HTTP cookie management mechanism present in the affected software, which is the embedded web server RomPager from AllegroSoft, according to the FAQ.

“The vulnerable code was written in 2002, and given to a chipset maker, who bundled it in their SDK, [which] was given to another vendor that created an OS that was given to manufacturers that created firmware that was given to ISPs that created custom firmware [and] installed it on consumer devices,” Tal said.

While the FAQ indicates that AllegroSoft issued a fix to address the vulnerability in 2005 and gave it to licensed manufacturers, Tal said that the “unfortunately complex chain makes update propagation incredibly slow to non-existent.”

There are typically no logs or other traces of Misfortune Cookie exploitation, according to the FAQ, which explains that Check Point is unaware of any specific attacks exploiting the vulnerability, but adds that the bug is likely known and even being used in some capacity.

Users should keep their eyes open for a firmware upgrade and apply it immediately, Tal said.

“We think this vulnerability highlights the sad state of embedded device security, and boosts the need for endpoint protections,” Tal said. “Make sure to have endpoint protections in place, including firewalls, anti-virus software, and a freshly updated operating system.”

AllegroSoft did not respond to a request for comment.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.