"While the proliferation of devices managed by TR-069 is responsible for creating a very large vulnerable client population, Misfortune Cookie is not a vulnerability related to the TR-069/CWMP per se," the Check Point researchers said. "Misfortune Cookie affects any implementation of a service using the old version of RomPager's HTTP parsing code, on port 80, 8080, 443, 7547, and others."
While many users have probably never heard of it, RomPager is actually among the most widely used Web server software in the world. A 2013 scan of the Internet by HD Moore, the chief security officer at Rapid7, found more RomPager deployments on unique IP (Internet Protocol) addresses than Apache, which is the most popular Web server when counting by hosted websites. In presentation materials on its site, Allegro claims that RomPager is used on over 75 million devices shipped by its customers around the world.
The Misfortune Cookie flaw only exists in RomPager versions older than 4.34 and was actually discovered and patched by Allegro itself back in 2005 following internal code reviews. However, many router models, including new ones released this year, still include old RomPager versions in their firmware, especially RomPager 4.07, according to Tal.
The Check Point researchers have identified around 200 router models from various manufacturers, including D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL, that are likely vulnerable. Based on Internet scans, they've detected almost 12 million unique devices in 189 countries that are directly exploitable over the Internet.
Check Point contacted several major router manufacturers whose products were affected, as well as Allegro. Some responded immediately, confirmed the problem and started working on firmware patches, but others didn't respond at all, the researchers said.
Unfortunately there's not much users can do to protect their routers aside from installing firmware patches when they become available and running firewalls on their computers to protect them against network attacks, Tal said.
ISPs that use TR-069/CWMP to manage customer devices can use the protocol to actually deploy firmware patches quicker. Check Point has released guidance for ISPs in a white paper.
The problem is that not only devices given by ISPs to customers are affected. According to Tal, there are routers that listen to requests on port 7547 by default, even though they are not configured for TR-069.
Sign up for Computerworld eNewsletters.