Vulnerability in embedded Web server exposes millions of routers to hacking

Attackers can take control of millions of routers by sending a specially crafted request to RomPager, an embedded Web server running on them

A serious vulnerability in an embedded Web server used by many router models from different manufacturers allows remote attackers to take control of affected devices over the Internet.

A compromised router can have wide-ranging implications for the security of home and business networks as it allows attackers to sniff inbound and outbound traffic and provides them with a foothold inside the network from where they can launch attacks against other systems. It also gives them a man-in-the-middle position to strip SSL (Secure Sockets Layer) from secure connections and hijack DNS (Domain Name System) settings to misrepresent trusted websites.

The new vulnerability was discovered by researchers from Check Point Software Technologies and is located in RomPager, an embedded Web server used by many routers to host their Web-based administration interfaces.

RomPager is developed by a company called Allegro Software Development and is sold to chipset manufacturers which then bundle it in their SDKs (software development kits) that are used by router vendors when developing the firmware for their products.

The vulnerability has been dubbed Misfortune Cookie and is being tracked as CVE-2014-9222 in the Common Vulnerabilities and Exposures database. It can be exploited by sending a single specifically crafted request to the RomPager server.

"Attackers can send specially crafted HTTP cookies that exploit the vulnerability to corrupt memory and alter the application and system state," the Check Point researchers said on a website created to present the flaw. "This, in effect, can trick the attacked device to treat the current session with administrative privileges -- to the misfortune of the device owner."

The flaw can be exploited by a remote attacker even if the device is not configured to expose its Web-based administration interface to the Internet, making the vulnerability much worse, said Shahar Tal, a security researcher at Check Point.

That's because many routers, especially those that ISPs provisioned to their customers, are configured to listen for connection requests on port 7547 as part of a remote management protocol called TR-069 or CWMP (Customer Premises Equipment WAN Management Protocol).

ISPs send a request to customer devices on port 7547, or another preconfigured port number, when they want those devices to initiate a connection back to their Auto Configuration Servers (ACS). ISPs use these ACS servers to reconfigure customer devices, monitor them for faults or malicious activity, run diagnostics and even upgrade their firmware.

The initial TR-069 request on port 7547 is processed by the device's embedded Web server -- which in many cases is RomPager -- and can be used to exploit the Misfortune Cookie flaw regardless of whether the Web-based administration Interface is configured to be accessible from the Internet or not, Tal explained.

"While the proliferation of devices managed by TR-069 is responsible for creating a very large vulnerable client population, Misfortune Cookie is not a vulnerability related to the TR-069/CWMP per se," the Check Point researchers said. "Misfortune Cookie affects any implementation of a service using the old version of RomPager's HTTP parsing code, on port 80, 8080, 443, 7547, and others."

While many users have probably never heard of it, RomPager is actually among the most widely used Web server software in the world. A 2013 scan of the Internet by HD Moore, the chief security officer at Rapid7, found more RomPager deployments on unique IP (Internet Protocol) addresses than Apache, which is the most popular Web server when counting by hosted websites. In presentation materials on its site, Allegro claims that RomPager is used on over 75 million devices shipped by its customers around the world.

The Misfortune Cookie flaw only exists in RomPager versions older than 4.34 and was actually discovered and patched by Allegro itself back in 2005 following internal code reviews. However, many router models, including new ones released this year, still include old RomPager versions in their firmware, especially RomPager 4.07, according to Tal.

The Check Point researchers have identified around 200 router models from various manufacturers, including D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL, that are likely vulnerable. Based on Internet scans, they've detected almost 12 million unique devices in 189 countries that are directly exploitable over the Internet.

Check Point contacted several major router manufacturers whose products were affected, as well as Allegro. Some responded immediately, confirmed the problem and started working on firmware patches, but others didn't respond at all, the researchers said.

Unfortunately there's not much users can do to protect their routers aside from installing firmware patches when they become available and running firewalls on their computers to protect them against network attacks, Tal said.

ISPs that use TR-069/CWMP to manage customer devices can use the protocol to actually deploy firmware patches quicker. Check Point has released guidance for ISPs in a white paper.

The problem is that not only devices given by ISPs to customers are affected. According to Tal, there are routers that listen to requests on port 7547 by default, even though they are not configured for TR-069.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Huawei TechnologiesTp-link TechnologiesNetworkingroutersZTEExploits / vulnerabilitiesCheck Point Software Technologiesnetworking hardwareintrusionsecurityAllegro Software DevelopmentAccess control and authenticationZyXEL CommunicationsEdimax TechnologyD-Link

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?