‘Misfortune Cookie’ : Critical flaw on over 12 million routers allows device hijacking and network compromise
Security researchers at Check Point have discovered a critical and easy to exploit vulnerability in small office/home office (SOHO) routers that would mean that 12 million routers would be at risk of device hijacking and remote network compromise.
The vulnerability has dubbed as ‘Misfortune Cookie’ by Check Point researchers and designated as CVE-2014-9222 by NVD maintained by NIST.
Describing why they have named the vulnerability as Misfortune Cookie, the researchers stated that, “The Misfortune Cookie vulnerability is due to an error within the HTTP cookie management mechanism present in the affected software, allowing an attacker to determine the ‘fortune’ of a request by manipulating cookies.” They further added that, all an attacker has to do is to send a specially crafted HTTP cookie to the public IP address of the device and take over total control of the network. “Attackers can send specially crafted HTTP cookies that exploit the vulnerability to corrupt memory and alter the application and system state. This, in effect, can trick the attacked device to treat the current session with administrative privileges – to the misfortune of the device owner.”
The researchers also maintained that this was a very easy to exploit vulnerability as an attacker would need only a modern browser to exploit it, “All an attacker needs in order to exploit Misfortune Cookie is to send a single packet to your public IP address. No hacking tools required, just a simple modern browser.”
Once the device is compromised, the attacker can monitor the victims’ Internet connection and steal their credentials, personal and business data. He or she will be also perfectly positioned to try to compromise any other device connected to that network. “An attacker exploiting the Misfortune Cookie vulnerability can easily monitor your Internet connection, steal your credentials and personal or business data, attempt to infect your machines with malware, and over-crisp your toast,” added the researchers.
The flaw has existed since 2002 in the embedded web server RomPager made by a tech firm called AllegroSoft. Check Point researchers said that AllegroSoft had come to know of the vulnerability and issued a fix for it in 2005 to the licensed manufacturers but apparently due to slow patching process and multiple manufacturers of routers worldwide, the vulnerability still existed in non patched versions of RomPager.
The researchers stated that around 200 different models including those from TP-Link, Huawei, SmartAX, Zyxel, Netcomm, Edimax, and other companies were vulnerable to this exploit. You can view the complete list of devices here (PDF). Funnily cheaper and relicensed models feature prominently in the list. The researchers have stated that they do not believe it to be an intentionally included backdoor for security agencies.
Since your router may also feature in the list published by Check Point, you should badger your router manufacturer for a firmware update addressing the flaw. If you are aware of firmware flashing techniques, you should download the firmware from a respectable source and flash your router firm, do remember that this would void the warranty. Another option would be configuring your current gateway as a bridge and using a second secure device as your Internet dialer/gateway.