
kentoh - Fotolia
Home router security vulnerability exposes 12 million devices
Check Point has uncovered a widespread home router security vulnerability, dubbed Misfortune Cookie, that could allow attackers to gain control over millions of devices.
A newly identified vulnerability could expose approximately 12 million residential network gateway devices to attack, endangering home networks and any business data that may traverse those networks.
Lior Oppenheim, a researcher for network and endpoint security vendor Check Point Software Technologies Ltd., based in Israel, was the first to uncover CVE-2014-9222. Dubbed Misfortune Cookie, the vulnerability is more than a decade old and is the result of an error in the HTTP cookie-management mechanism in affected software versions.
According to a Check Point post, the flaw is rooted in an outdated version of RomPager, one of the most popular types of embedded Web server software in the world. Affecting more than 200 models of residential gateways and SOHO routers, the Misfortune Cookie vulnerability can be exploited by sending a single packet containing a malicious HTTP cookie.
Once a gateway device is infected, Check Point said, an attacker would have administrative privileges over the affected device, allowing him or her to monitor Internet connections, steal credentials and even attack the computers, tablets and other connected devices.
What may be of note for enterprises is that more than consumer personal data is put at risk by the vulnerability, according to Check Point, as business data could also be susceptible to theft if transmitted over a compromised gateway device.
"The implications of these risks mean more than just a privacy violation -- they also set the stage for further attacks, such as installing malware on devices and making permanent configuration changes," wrote Check Point in its post. "This WAN-to-LAN free-crossing is also bypassing any firewall or isolation functionality previously provided by your gateway and breaks common threat models. For example, an attacker can try to access your home webcam (potentially using default credentials) or extract data from your business NAS backup drive."
Home router security is posing an increasingly real problem for enterprises as more employees work remotely. Earlier this year, the SANS Institute's Internet Storm Center reported a surge in probes against TCP port 32764, believed to be attempts to exploit an alleged backdoor on Linksys routers disclosed by researcher Eloi Vanderbeken. In response to that incident, SearchSecurity network security expert Kevin Beaver, an information security consultant with Principle Logic LLC, advised enterprise security professionals to scan remote employees' IP addresses to determine if their home equipment is vulnerable, and if so, to have employees upgrade or replace affected devices.
As for how to protect against Misfortune Cookie, Check Point advised users to ensure all sensitive files and documents on home systems are protected by passwords, and to enable HTTPS encryption for all Web browser activity.
The flaw itself can only be mitigated by the affected hardware vendors, including D-Link, Huawei, Edimax, ZTE and others, via a firmware update. Technology-savvy users could also flash the devices with third-party firmware that is confirmed to be secure. Check Point confirmed that it had notified all of the manufacturers of the 200-plus residential gateway models potentially susceptible to a Misfortune Cookie attack.
Unfortunately, as industry luminary Dan Geer has noted many times in recent years, manufacturers of home router equipment are notoriously slow to issue updates, or to issue them at all. Allegro Software, the makers of RomPager, actually issued an updated version of its software to manufacturers in 2005, but Check Point said there are still devices today that are shipping with outdated, vulnerable versions.
"We believe this is a serious problem that the industry needs to solve," wrote Check Point. "Secure automatic software updates should be offered for all modern devices, if not as a default setting."
Join the conversation
4 comments
In the US/Canada at least, this is not very widespread (see graphic at http://mis.fortunecook.ie/ ) and mostly affects ADSL gateways. The list doesn't contain vulnerable devices from most of the major mfg's either.
From a technical perspective, what I would specifically like to know is whether this vulnerabilty is exploitable only if the external web interface is enabled, or if the external web interface is disabled, merely passing the packet to the device (even to be blocked by the device) is enough to exploit the vulnerability.
I would expect MUCH more from a "seucrity" site.