A serious vulnerability in an embedded Web server used by many router models from different manufacturers allows remote attackers to take control of affected devices over the Internet.
A compromised router can have wide-ranging implications for the security of home and business networks as it allows attackers to sniff inbound and outbound traffic and provides them with a foothold inside the network from where they can launch attacks against other systems. It also gives them a man-in-the-middle position to strip SSL (Secure Sockets Layer) from secure connections and hijack DNS (Domain Name System) settings to misrepresent trusted websites.
The new vulnerability was discovered by researchers from Check Point Software Technologies and is located in RomPager, an embedded Web server used by many routers to host their Web-based administration interfaces.
RomPager is developed by a company called Allegro Software Development and is sold to chipset manufacturers which then bundle it in their SDKs (software development kits) that are used by router vendors when developing the firmware for their products.
The vulnerability has been dubbed Misfortune Cookie and is being tracked as CVE-2014-9222 in the Common Vulnerabilities and Exposures database. It can be exploited by sending a single specifically crafted request to the RomPager server.
"Attackers can send specially crafted HTTP cookies that exploit the vulnerability to corrupt memory and alter the application and system state," the Check Point researchers said on a website created to present the flaw. "This, in effect, can trick the attacked device to treat the current session with administrative privileges -- to the misfortune of the device owner."
The flaw can be exploited by a remote attacker even if the device is not configured to expose its Web-based administration interface to the Internet, making the vulnerability much worse, said Shahar Tal, a security researcher at Check Point.
That's because many routers, especially those that ISPs provisioned to their customers, are configured to listen for connection requests on port 7547 as part of a remote management protocol called TR-069 or CWMP (Customer Premises Equipment WAN Management Protocol).
ISPs send a request to customer devices on port 7547, or another preconfigured port number, when they want those devices to initiate a connection back to their Auto Configuration Servers (ACS). ISPs use these ACS servers to reconfigure customer devices, monitor them for faults or malicious activity, run diagnostics and even upgrade their firmware.
The initial TR-069 request on port 7547 is processed by the device's embedded Web server -- which in many cases is RomPager -- and can be used to exploit the Misfortune Cookie flaw regardless of whether the Web-based administration Interface is configured to be accessible from the Internet or not, Tal explained.
Sign up for Computerworld eNewsletters.