More than 12 million routers in homes and businesses around the world are vulnerable to a critical software bug that can be exploited by hackers to remotely monitor users’ traffic and take administrative control over the devices, from a variety of different manufacturers.
The critical vulnerability actually resides in web server “RomPager” made by a company known as AllegroSoft, which is typically embedded into the firmware of router , modems and other “gateway devices” from about every leading manufacturer. The HTTP server provides the web-based user-friendly interface for configuring the products.
HOW MISFORTUNE COOKIE FLAW WORKS…
The vulnerability, tracked as CVE-2014-9222
in the Common Vulnerabilities and Exposures database, can be exploited by sending a single specifically crafted request to the affected RomPager server
that would corrupt the gateway device’s memory, giving the hacker administrative control over it. Using which, the attacker can target any other device on that network.
MAJOR ROUTERS & GATEWAY BRANDS VULNERABLE…
At least 200 different models of gateway devices, or small office/home office (SOHO) routers from various manufacturers and brands are vulnerable to Misfortune Cookie, including kit from D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL.
The bug not only affects routers, modems and other gateway devices, but anything connected to them from PCs, smartphones, tablets and printers to “smart home” devices such as toasters, refrigerators, security cameras and more. This simply means if a vulnerable router is compromised, all the networked device within that LAN is at risk.
WORSE ATTACK SCENARIO…
Misfortune Cookie flaw can be exploited by any attacker sitting anywhere in the world even if the gateway devices are not configured to expose its built-in Web-based administration interface to the wider Internet, making the vulnerability more dangerous.
Because many routers and gateway devices are configured to listen for connection requests publicly on port 7547 as part of a remote management protocol called TR-069 or CWMP (Customer Premises Equipment WAN Management Protocol), allowing attackers to send a malicious cookie from far away to that port and hit the vulnerable server software.