Critical flaw on over 12M routers allows device hijacking, network compromise

A critical, easy to exploit vulnerability that opens more than 12 million SOHO routers around the world to remote compromise has been discovered by Check Point researchers.

“The Misfortune Cookie vulnerability is due to an error within the HTTP cookie management mechanism present in the affected software, allowing an attacker to determine the “fortune’ of a request by manipulating cookies,” the researchers explained how the flaw got its name.

“Attackers can send specially crafted HTTP cookies that exploit the vulnerability to corrupt memory and alter the application and system state. This, in effect, can trick the attacked device to treat the current session with administrative privileges – to the misfortune of the device owner.”

“All an attacker needs in order to exploit Misfortune Cookie is to send a single packet to your public IP address. No hacking tools required, just a simple modern browser,” they pointed out.

Once the device is compromised, the attacker can monitor the victims’ Internet connection and steal their credentials, personal and business data. He or she will be also perfectly positioned to try to compromise any other device connected to that network.

Introduced in 2002, the vulnerability is found in the embedded web server RomPager made by AllegroSoft, which is widely embedded in firmware of routers by different manufacturers. The researchers don’t believe it to be an intentionally included backdoor.

After they discovered the flaw and notified AllegroSoft ot it, they were told that the company issued a fixed version to address the Misfortune Cookie vulnerability in 2005.

This version was provided to licensed manufacturers, but it is well known that “the patch propagation cycle, however, is incredibly slow (sometimes non-existent) with these types of devices.”

As a result, many many devices today still ship with the vulnerable version in place. The researchers provided a list of suspected vulnerable router models, manufactured by TP-Link, Huawei, SmartAX, Zyxel, Netcomm, Edimax, and other companies.

What can you do to protect yourself from this flaw? Find out if your devices is vulnerable, and if it is and the device vendor has issued a firmware addressing it, apply the update. If they haven’t released such an update, consider pestering them into doing so.

“More technical users may flash alternative firmware to their device, replacing the vulnerable service (note this may void the warranty by your vendor). Another option would be configuring your current gateway as a bridge and using a second secure device as your Internet dialer/gateway,” the researchers shared.