Misfortune Cookie crumbles router security: '12 MILLION+' in hijack risk Infosec biz Check Point claims it has discovered a critical software vulnerability that allows hackers to hijack home and small business broadband routers across the web. The commandeered boxes could be used to launch attacks on PCs and gadgets within their local networks. More than 12 million low-end SOHO routers worldwide …
I'm not sure NoScript would help with body text:
"What can I do to protect against the vulnerability?
For consumers and small businesses, Check Point recommends adding ZoneAlarm firewall to your PC to significantly enhance your protection from attack. All ZoneAlarm products include a two-way firewall and a proprietary OSFirewall™ that blocks malicious activity on your computer and is hardened with self-protection to prevent it from being disabled by malware. For a limited time through December 26, to help consumers protect their PC from attack, we’re offering ZoneAlarm PRO Firewall for only $9.95 (regularly $40) through this link."
So how do I install ZoneAlarm PRO on all the non-PC devices on my LAN? And will it conflict with iptables where I've got that installed? Perhaps they need to produce ZoneAlarm Fridge or similar...
As far as I know the latest OpenWRT isn't going to be vulnerable and that's what I have protecting my system, having switched the cable modem to bridge mode with my own router behind it.
"So how do I install ZoneAlarm PRO on all the non-PC devices on my LAN?"
Good point. Personal computers are not the only networked devices. I suppose that tablets and phones are just about as vulnerable at other untrusted locations as they are on your home LAN, so that horse is already long gone. There are also appliances like surveillance cameras.
To be fair, I don't know how many embedded devices have the hardware to do deep packet inspection. My Drobo doesn't. And it would probably murder battery life on a mobile. CheckPoint can't fix that.
To be fair, I don't know how many embedded devices have the hardware to do deep packet inspection. My Drobo doesn't. And it would probably murder battery life on a mobile. CheckPoint can't fix that.
An embedded device doesn't need to do deep packet inspection, it just needs to only respond to what it's supposed to handle and to safely reject everything else. If you send it a packet that is too long then the network stack should discard it without overrunning a buffer, if you send a malformed packet of suitable length then the application should correctly parse it and throw out anything that doesn't make sense. Many flaws are there because the software writer was lazy, or didn't think of all the corner cases and handle them. It was many years before people even really thought about deliberate malicious attacks on software, much error-handling was intended to deal with benign mistakes.
An embedded device doesn't need to do deep packet inspection, it just needs to only respond to what it's supposed to handle and to safely reject everything else...the application should correctly parse it and throw out anything that doesn't make sense.
Certainly. I agree with everything you say. Sadly, many potentially vulnerable devices are no longer supported. We can't look to CheckPoint to solve that. That's all I mean.
I really hate this sort of shit. Is this an actual issue or a marketing piece?
If it is a real technical announcement, what does this mean :-
"All an attacker needs in order to exploit Misfortune Cookie is to send a single packet to your public IP address. No hacking tools required, just a simple modern browser."
Other than (maybe) some relatively complex code with websockets, I'm not sure how to make my browser output a single packet. Such bullshit can only harm any real warning of a real issue.
"If it is a real technical announcement, what does this mean"
The problem is, if you go full disclosure and dump all the details online, someone will weaponize it an hour and by the end of the week someone will have a 12-million-strong botnet. Check Point noted: "This public awareness may serve as a better incentive for the makers to release updated firmware faster."
You need to craft a HTTP request with a cookie that exploits a flaw – probably a buffer overflow – in the server. You can always reverse engineer the firmware yourself, like Check Point did, and I suspect people already are.
C.
There are other ways of raising awareness than going full apocalypse scare tactics as a thinly obfuscated attempt to sell software that won't actually fix the problem.
A single http request with a specially crafted cookie from a Web browser with an extension to allow modification of cookies is a far cry from a single packet sent by a normal Web browser. Checkpoint know the difference and have made that statement to confuse and terrify those who don't.
It's difficult enough to get people to take security seriously without this sort of marketing shenanigans.
I'm not just singling out checkpoint here, there are many others who have also done this sort of thing.
That's what I thought about the Draytek. I can't see why it would be on by default, unless there is an expectation that 50%+ of customers would be using TR069 to manage them; given it's a SOHO/SMB device, I'd find this unlikely meself, but then I could be wrong.
Still, fixed now, and it prompted me to update me firmware so not grumbling too hard.
"most devices listen publicly on port 7547 to receive instructions from ISPs via the TR-069"
Really?
I'd have said the number actively using TR069, at least in the UK, was negligible, but I'm happy to be proved wrong (it's been a few years since I actively followed this stuff).
And why does TR069 need a listening port open on customer premises anyway, why can't this mechanism be implemented with the ISP doing the listening and the customer router doing an outgoing connect from time to time?
However, as another reader just found, you'd perhaps do well to check what ports/services are open on the internet-facing side of your router, and shut up any that you don't want.
my slackware gaming rig is running my nat with iptables and zone alarm pro and I have 14 different embedded devices all behind sonicwall hardware firewalls so I don't see the problem.
Mainly because I lack empathy and don't see that there are people for whom computing is a means to and end rather than the meaning of existence.
To see if your router/modem is running a vulnerable version of RomPager, run Wireshark and access the device's configuration page.
Look for a HTTP/1.1 200 OK packet, inside that will be listed the server version, eg:
Server: RomPager/4.07 UPnP/1.0
Which suggests my modem is vulnerable, bugger. Time to get a different one methinks. Good job it's separate from the router.
Then again, would my modem even be reachable from the internet if it's running in PPPoE bridge mode? Wouldn't the PPPoE-encapsulated packets get sent straight to the router without the modem even bothering to look at them?
Last Night, my home network was attacked, one machine, which is always online ( Transfer Time: 175 Days 22:44 Hours (99.8%)), running Clamwin or win ver of Linux ClamTK, was knocked offline, but not compromised, However the HP DV6 I7, went nuts all of a sudden, fans kicked up, the trackpad started to glow red ... I thought "what u doin", and managed to catch Cryptolocker @ Work, Process explorer killed its processes & desendants, msconfig removed startups, stopped machine, pulled HDD, replace it with fresh one & rebuilt HP, but with Clamwin, So I have a 320gb HDD here with cryptolocker half way thru its nasty, all files on drive are accessible under Xubuntu as ext USB, Windows security is a laugh !
So if I can disassemble this thing & work out how it talks backs to them, & send it back to them dressed the way they expect, How many zero's should I add to his ransom ?
However what I would like to mention about routers, now I have 2, Home Net, and NBN main, when I ask NBN about firmware updates, they had no clue ..
This post has been deleted by its author
I was talking about how, now its a ext usb drive, when I plug it in to linux, I can see EVERY FILE on it, no special forensics required, including the Windows Secured "password" file ............
I have captured 3 .exe from drive, but still haven't found how it was inserted into system, but found file it unpacked from, I Think, so far, and it's a flash animation I looked at, on a site, or @ that same time, still sorting this out, eyes sore from reading ascii disassembly screens, but I am still on the case ....
Really annoying to see a whole website full of loads of text that tells you nothing that could not have been said with just two sentences. Even advisories that give explicit details are a tenth of the size of all this twaddle.
It aint Shellshock or Heartbleed. Maybe a drip of a nosebleed.
So the vuln is in the web server on the router? How many home routers allow access to the web management server on the WAN interface? Most only allow access from the LAN side. So doesn't the presuppose that the attacker has access to your LAN? In which case you're already in trouble.
Or maybe I'm missing something because its lunch time at 2 hours before COB for the year.
Or another Scary thought is with these holes, running a OS under Visualization, a cut down, built for Job Distro, DSL is @ 50meg stock Version, ready to internet, BUT say like an example a the "Tiny Core Project" can produce, an 12MB FLTK/FLWM desktop.
If u can cut that down further, and run bash Scripts .... ON a say 8core,32gb, sata ssd System, lucky to have a fibre 100MBsx40MBs internet, I think a sub 5-6 meg iso style file, which would DOWNLOAD in milliseconds, could contain, a whole other OS, running in Back ground VM Process, before you could blink, it could be unpacking, & then be lying doggo, waiting .....
(My choice be a VM of a newer DOS Based, BAT file driven Monster, prob under 2-3 meg, Easier to hide in windows coop ..)
Why I switch it off Visualization in bios on my Online machines & have 2 networks, TRUE home, & other internet capable, things only moved between networks on USB drives, after careful inspection..
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
