Saturday, December 20, 2014

Misfortune Cookies Vulnerability

As everybody was focusing on the Sony hacking incident, there was a vulnerability that is affecting over 12 million Internet routers located in 189 countries across the globe been announced. At least over 200 different models of the devices are vulnerable. These lists of vulnerable devices consist of companies such as ASUS, D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL.

This vulnerability, which is discovered by the researchers from Check Point’s Malware and Vulnerability Research Group, called it "Misfortune Cookie vulnerability". It is exploitable due to an error within the HTTP cookie management mechanism in the affected software. It allows an attacker to determine the ‘fortune’ (critical information) of a request by manipulating cookies. Attackers can then send specially crafted HTTP cookies that exploit the vulnerability to corrupt memory and alter the application state, which will trick the device’s web server to treat the current session with administrative privileges.

The actual vulnerability lies on the software that is the embedded web server RomPager from AllegroSoft. Devices running RomPager services with versions before 4.34 are vulnerable.

So what can you do with the exploit of this vulnerability? With administrative access to your device, an attacker could take control over your wired and/or wireless network infrastructure. Depending on your gateway device, there may be risk of Man-in-The-Middle attacks, provide a possible attack vector for LAN-side vulnerabilities, and also gave the attacker the ability to extract useful information from the network connections from your devices.

With information extracted from your network, it also provide the stage for further attacks, such as installing malware on devices and making permanent configuration changes the bypassing gateway protection just as firewall or network isolation of your local network.

Since this is one of the most widespread vulnerabilities revealed in recent years, how can we mitigate it? There is actually a patch to the vulnerable software. AllegroSoft issued a fixed version to address this “Misfortune Cookie vulnerability” in 2005. It is advice to check with the device vendor if the patched firmware is already available.

But there is always this common issue of device vendors taking too long to patch up their firmware. Even if the patch of the vulnerable software available, they need to integrate this patch into their device firmware, test to make sure nothing breaks and then make it available which normally takes a long time.

Other mitigation that can be considered will be to deploy Intrusion Prevention Systems (IPS) in front of your device. There are IPS signatures available for this vulnerability (CVE-2014-9222 and CVE-2014-9223). 

Misfortune Cookie

No comments: