Vulnerability in embedded Web server exposes millions of routers to hacking

Attackers can take control of millions of routers by sending a specially crafted request to RomPager, an embedded Web server running on them

A serious vulnerability in an embedded Web server used by many router models from different manufacturers allows remote attackers to take control of affected devices over the Internet.

A compromised router can have wide-ranging implications for the security of home and business networks as it allows attackers to sniff inbound and outbound traffic and provides them with a foothold inside the network from where they can launch attacks against other systems. It also gives them a man-in-the-middle position to strip SSL (Secure Sockets Layer) from secure connections and hijack DNS (Domain Name System) settings to misrepresent trusted websites.

The new vulnerability was discovered by researchers from Check Point Software Technologies and is located in RomPager, an embedded Web server used by many routers to host their Web-based administration interfaces.

RomPager is developed by a company called Allegro Software Development and is sold to chipset manufacturers which then bundle it in their SDKs (software development kits) that are used by router vendors when developing the firmware for their products.

The vulnerability has been dubbed Misfortune Cookie and is being tracked as CVE-2014-9222 in the Common Vulnerabilities and Exposures database. It can be exploited by sending a single specifically crafted request to the RomPager server.

"Attackers can send specially crafted HTTP cookies that exploit the vulnerability to corrupt memory and alter the application and system state," the Check Point researchers said on a website created to present the flaw. "This, in effect, can trick the attacked device to treat the current session with administrative privileges -- to the misfortune of the device owner."

The flaw can be exploited by a remote attacker even if the device is not configured to expose its Web-based administration interface to the Internet, making the vulnerability much worse, said Shahar Tal, a security researcher at Check Point.

That's because many routers, especially those that ISPs provisioned to their customers, are configured to listen for connection requests on port 7547 as part of a remote management protocol called TR-069 or CWMP (Customer Premises Equipment WAN Management Protocol).

ISPs send a request to customer devices on port 7547, or another preconfigured port number, when they want those devices to initiate a connection back to their Auto Configuration Servers (ACS). ISPs use these ACS servers to reconfigure customer devices, monitor them for faults or malicious activity, run diagnostics and even upgrade their firmware.

The initial TR-069 request on port 7547 is processed by the device's embedded Web server -- which in many cases is RomPager -- and can be used to exploit the Misfortune Cookie flaw regardless of whether the Web-based administration Interface is configured to be accessible from the Internet or not, Tal explained.

"While the proliferation of devices managed by TR-069 is responsible for creating a very large vulnerable client population, Misfortune Cookie is not a vulnerability related to the TR-069/CWMP per se," the Check Point researchers said. "Misfortune Cookie affects any implementation of a service using the old version of RomPager's HTTP parsing code, on port 80, 8080, 443, 7547, and others."

While many users have probably never heard of it, RomPager is actually among the most widely used Web server software in the world. A 2013 scan of the Internet by HD Moore, the chief security officer at Rapid7, found more RomPager deployments on unique IP (Internet Protocol) addresses than Apache, which is the most popular Web server when counting by hosted websites. In presentation materials on its site, Allegro claims that RomPager is used on over 75 million devices shipped by its customers around the world.

The Misfortune Cookie flaw only exists in RomPager versions older than 4.34 and was actually discovered and patched by Allegro itself back in 2005 following internal code reviews. However, many router models, including new ones released this year, still include old RomPager versions in their firmware, especially RomPager 4.07, according to Tal.

The Check Point researchers have identified around 200 router models from various manufacturers, including D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL, that are likely vulnerable. Based on Internet scans, they've detected almost 12 million unique devices in 189 countries that are directly exploitable over the Internet.

Check Point contacted several major router manufacturers whose products were affected, as well as Allegro. Some responded immediately, confirmed the problem and started working on firmware patches, but others didn't respond at all, the researchers said.

Unfortunately there's not much users can do to protect their routers aside from installing firmware patches when they become available and running firewalls on their computers to protect them against network attacks, Tal said.

ISPs that use TR-069/CWMP to manage customer devices can use the protocol to actually deploy firmware patches quicker. Check Point has released guidance for ISPs in a white paper.

The problem is that not only devices given by ISPs to customers are affected. According to Tal, there are routers that listen to requests on port 7547 by default, even though they are not configured for TR-069.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Huawei TechnologiesTp-link TechnologiesNetworkingroutersZTEExploits / vulnerabilitiesCheck Point Software Technologiesnetworking hardwareintrusionsecurityAllegro Software DevelopmentAccess control and authenticationZyXEL CommunicationsEdimax TechnologyD-Link

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?