Millions of routers and PCs vulnerable to decade-old cookie flaw

A critical software vulnerability that was supposedly patched in 2005 is still affecting at least 200 types of home and small business internet routers, and could also be used by hackers to compromise millions of networked PCs and IoT devices.

Millions of routers and PCs vulnerable to decade-old cookie flaw
Millions of routers and PCs vulnerable to decade-old cookie flaw

 In a new research report released yesterday, endpoint security vendor CheckPoint Software Technologies revealed that the flaw affects 12 million ‘readily exploitable' routers across 189 countries including models from manufacturers D-Link, Edimax, Huawei, TP-Link, ZTE and ZyXEL, but could also be used to compromise PCs, phones, tablets, printers, security cameras, refrigerators and any other devices connected to the network.

The so-called ‘Misfortune Cookie' flaw affects AllegroSoft's RomPager software, which is embedded in the firmware released with router and gateway devices, and specifically relates to the software's HTTP cookie management mechanism.

As a result, hackers could (there are no signs of attacks as of yet) manipulate cookies and send specially crafted HTTP cookies that exploit the vulnerability to corrupt the memory and alter the application and system state. In short, they would be able to trick the attacked device into thinking that the current session had administrative privileges, giving them the opportunity to monitor internet connections, steal credentials and data, and infect machines with malware.

The flaw affects routers running versions of RomPager up to version 4.34 (especially version 4.07) and even though Allegro issued a patch to licensed manufacturers back in 2005, the security firm puts its continued existence down to an ‘incredibly slow' or ‘sometimes non-existent' patching process.

CheckPoint – which has described Misfortune Cookie as one of the ‘most widespread vulnerabilities revealed in recent years' - has advised affected users to add a firewall to all PCs and has now assigned the vulnerability the CVE-2014-9222 identifier.

“Misfortune Cookie is a serious vulnerability present in millions of homes and small businesses around the world, and if left undetected and unguarded, could allow hackers to not only steal personal data, but control peoples' homes,” said Shahar Tal, malware and vulnerability research manager at the firm.

On a separate web page set up specifically for information on the flaw, the company said that it is unique because of its severity, how easy it is to exploit, its lack of almost any preconditions and ‘the sheer volume of vulnerable networks'. 

“In certain countries, we have measured eye-opening vulnerability rates of anywhere between 10 percent to an estimated 50 percent of used IP addresses in that country (this is not a typo, one in two internet users in these countries is likely vulnerable),” reads the home page.

“This should be considered an alarming wake-up call for the embedded device industry and consumers alike, highlighting the importance of increased security and privacy for consumer and enterprise networks.”

Bob Tarzey, director and consultant at Quocirca, told SCMagazineUK.com that the flaw is a big job to fix, especially with it being unpatched for so long.

“The flaw may be old, but so are many routers and unlike OSs and app software their firmware often goes unpatched by consumers and SMBs,” he said via email. “It will likely be exploited by random probing or targeting of smaller supply chain participants. A big job to fix, service providers and suppliers affected will need to step up to the mark.”