Report: Flaw Affects 12 Million Routers

Devices from 50 Manufacturers Affected, Check Point Warns
Report: Flaw Affects 12 Million Routers

At least 12 million home and small-office routers from 50 manufacturers have a flaw that an attacker could remotely exploit to seize control of the device and intercept all data that it transmits, according to security firm Check Point Software Technologies. Among the devices at risk are at least 200 different products manufactured by such vendors as D-Link, Edimax, Huawei, TP-Link, ZTE and ZyXEL.

See Also: Eight Capabilities IT Pros Should Look for in a CASB

Check Point presented the findings of their research into what they've dubbed the "Misfortune Cookie" vulnerability at this week's 31st Chaos Communication Congress, or 31C3, in Hamburg, Germany.

The company says it has discovered two distinct vulnerabilities in RomPager, which is a Web server built by Allegro Software that gets embedded in the firmware that runs many router and gateway devices. And Allegro has confirmed the flaws. One vulnerability, CVE-2014-9222, allows an attacker to remotely bypass the device's authentication mechanism; this is the Misfortune Cookie flaw. A related vulnerability, CVE-2014-9223, allows an attacker to create a buffer overflow on a device, triggering a denial of service.

"The Misfortune Cookie vulnerability is due to an error within the HTTP cookie management mechanism present in the affected software, allowing an attacker to determine the 'fortune' of a request by manipulating cookies," the Check Point researchers say. "All an attacker needs in order to exploit Misfortune Cookie is to send a single packet to your public IP address. No hacking tools required - just a simple, modern browser."

The Check Point researchers say they have yet to see any in-the-wild attacks that exploit the vulnerability. But based on scans of the Internet looking for equipment that runs a vulnerable version of RomPager, they found at least 12 million devices currently being used - across 189 countries - that are vulnerable to related attacks.

Users of devices that sport the flaw are at risk of having their data intercepted, warns Dublin-based information security consultant Brian Honan, who heads Ireland's computer emergency response team. "The biggest risk would be for the attackers to be able to modify settings on the router, such as changing the DNS settings," he says. "This could allow the attackers to then redirect the users' Web traffic to phishing websites, malware-loaded websites, or to intercept their Internet traffic and capture sensitive information such as passwords and financial details."

Beyond consumers, remote employees are also at risk from vulnerable devices, says threat-intelligence firm iSight Partners. "Although the Misfortune Cookie vulnerability does not affect routers commonly used in larger enterprise environments ... compromised devices still pose a potential threat to enterprises, especially to those with employees that perform work on their computer or mobile devices through home routers," it says in a research note.

Flaws Patched in 2005

In a statement, Allegro Software, which is based in Boxborough, Mass., notes: "These vulnerabilities were discovered in the RomPager embedded Web server version 4.07, which was released in 2002." But the company says that the flaws were identified and fixed, and an update - RomPager version 4.34, which fixes the vulnerability - was released to customers in 2005. The most recent version of RomPager is version 5.40.

But Allegro Software says that some manufacturers are continuing to ship products that include a version of RomPager that is a decade or more out of date. "Unfortunately, not all manufacturers using Allegro Software products have updated their devices with the latest RomPager software component," it says. "In some cases, manufacturers continue to make and sell products with software components that are over 13 years old, which can expose products to security concerns."

Allegro Software notes that it's a third-party supplier of embedded Web servers, and that it's incumbent upon device manufacturers to patch their customers' equipment, by issuing updated firmware. "If you have a product that is affected by the above security concerns, please contact the product manufacturer to obtain a firmware update," it says.

Huawei's Product Security Incident Response Team tells Information Security Media Group that it has identified the vulnerability and published a security notice on its website. According to that security alert, both the Huawei Echolife HG530 and HG520c routers are vulnerable to the two vulnerabilities discovered by Check Point. Huawei on Dec. 24 released a related patch for each of those devices.

D-Link, Edimax, TP-Link, ZTE and ZyXEL did not immediately respond to requests for comment on Check Point's research.

Pinpointing Problems

German IT journalist Hanno Böck has created a free online tool that's designed to scan hostnames or IP addresses for the presence of equipment that contains either of the vulnerabilities identified by Check Point.

If vendors fail to issue patches for vulnerable devices, then consumers might be best served by throwing those devices away. "If old tech is no longer supported, then people should consider replacing them with newer and more secure devices," says Honan, who is also a cybersecurity adviser to Europol. "Tech should be treated like many other items we use in our homes. If your vacuum cleaner can no longer do the job properly and it cannot be repaired, you replace it. The same [goes for] the items our digital lives depend on."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network