back to article Misfortune Cookie crumbles router security: '12 MILLION+' in hijack risk

Infosec biz Check Point claims it has discovered a critical software vulnerability that allows hackers to hijack home and small business broadband routers across the web. The commandeered boxes could be used to launch attacks on PCs and gadgets within their local networks. More than 12 million low-end SOHO routers worldwide …

  1. Anonymous Coward
    Anonymous Coward

    ZoneAlarm advert?

    Is it just me or does it feel like

    http://mis.fortunecook.ie/

    Is an advert for ZoneAlarm?

    1. Destroy All Monsters Silver badge

      Re: ZoneAlarm advert?

      I don't know that feel.

      Do you have NoScript?

      1. Anonymous Coward
        Anonymous Coward

        Re: ZoneAlarm advert?

        I'm not sure NoScript would help with body text:

        "What can I do to protect against the vulnerability?

        For consumers and small businesses, Check Point recommends adding ZoneAlarm firewall to your PC to significantly enhance your protection from attack. All ZoneAlarm products include a two-way firewall and a proprietary OSFirewall™ that blocks malicious activity on your computer and is hardened with self-protection to prevent it from being disabled by malware. For a limited time through December 26, to help consumers protect their PC from attack, we’re offering ZoneAlarm PRO Firewall for only $9.95 (regularly $40) through this link."

        1. Number6

          Re: ZoneAlarm advert?

          So how do I install ZoneAlarm PRO on all the non-PC devices on my LAN? And will it conflict with iptables where I've got that installed? Perhaps they need to produce ZoneAlarm Fridge or similar...

          As far as I know the latest OpenWRT isn't going to be vulnerable and that's what I have protecting my system, having switched the cable modem to bridge mode with my own router behind it.

          1. jtaylor

            Re: ZoneAlarm advert?

            "So how do I install ZoneAlarm PRO on all the non-PC devices on my LAN?"

            Good point. Personal computers are not the only networked devices. I suppose that tablets and phones are just about as vulnerable at other untrusted locations as they are on your home LAN, so that horse is already long gone. There are also appliances like surveillance cameras.

            To be fair, I don't know how many embedded devices have the hardware to do deep packet inspection. My Drobo doesn't. And it would probably murder battery life on a mobile. CheckPoint can't fix that.

            1. Anonymous Custard
              Joke

              Re: ZoneAlarm advert?

              Perhaps they need to produce ZoneAlarm Fridge or similar...

              Isn't that more likely to be plugged by Weightwatchers than Checkpoint?

            2. Number6

              Re: ZoneAlarm advert?

              To be fair, I don't know how many embedded devices have the hardware to do deep packet inspection. My Drobo doesn't. And it would probably murder battery life on a mobile. CheckPoint can't fix that.

              An embedded device doesn't need to do deep packet inspection, it just needs to only respond to what it's supposed to handle and to safely reject everything else. If you send it a packet that is too long then the network stack should discard it without overrunning a buffer, if you send a malformed packet of suitable length then the application should correctly parse it and throw out anything that doesn't make sense. Many flaws are there because the software writer was lazy, or didn't think of all the corner cases and handle them. It was many years before people even really thought about deliberate malicious attacks on software, much error-handling was intended to deal with benign mistakes.

              1. jtaylor

                Re: ZoneAlarm advert?

                An embedded device doesn't need to do deep packet inspection, it just needs to only respond to what it's supposed to handle and to safely reject everything else...the application should correctly parse it and throw out anything that doesn't make sense.

                Certainly. I agree with everything you say. Sadly, many potentially vulnerable devices are no longer supported. We can't look to CheckPoint to solve that. That's all I mean.

        2. Jamie Jones Silver badge

          Re: ZoneAlarm advert?

          Hmmmm, a server called "mis" from a previously unknown Irish company called fortunecook.

          Bloody kids today and their domain name abuse. get off my land, you're not having your ball back etc.

  2. GremlinUK

    Seems odd to me that the CVE link doesn't go to the CVE. How can anyone act on a CVE that nobody can define properly?

    1. Unlimited

      The CVE is a lie!

      Unable to find vuln CVE-2014-9222

      Sorry, no results found for 'CVE-2014-9222'. Try entering fewer or broader query terms.

    2. Anonymous Coward
      Anonymous Coward

      It's a pre-allocated CVE which has been issued in a block to any particular organization. Now whether it remains a valid CVE depends on the quality. FWIW, I wasn't aware that these existed either, but I'm not into self-abuse, err, security research.

      1. Anonymous Coward
        Anonymous Coward

        but I'm not into self-abuse, err, security research

        You are missing out on all the face-sitting though.

  3. Johnny Canuck

    Safe, I think

    I have 6 access points behind a DDWRT x86 router. All of the APs (2 different models) are not in the list, so I think I'm safe.

    1. Anonymous Coward
      Anonymous Coward

      Re: Safe, I think

      Or perhaps it's just YOU who doesn't see them on the list, your rooted router having done a little sanitising of the PDF en route :-)

      [it does feel a little ironic that I'm using a device I suspect to check whether I should suspect it...]

  4. djack

    I really hate this sort of shit. Is this an actual issue or a marketing piece?

    If it is a real technical announcement, what does this mean :-

    "All an attacker needs in order to exploit Misfortune Cookie is to send a single packet to your public IP address. No hacking tools required, just a simple modern browser."

    Other than (maybe) some relatively complex code with websockets, I'm not sure how to make my browser output a single packet. Such bullshit can only harm any real warning of a real issue.

    1. diodesign (Written by Reg staff) Silver badge

      Re: djack

      "If it is a real technical announcement, what does this mean"

      The problem is, if you go full disclosure and dump all the details online, someone will weaponize it an hour and by the end of the week someone will have a 12-million-strong botnet. Check Point noted: "This public awareness may serve as a better incentive for the makers to release updated firmware faster."

      You need to craft a HTTP request with a cookie that exploits a flaw – probably a buffer overflow – in the server. You can always reverse engineer the firmware yourself, like Check Point did, and I suspect people already are.

      C.

      1. djack

        Re: djack

        There are other ways of raising awareness than going full apocalypse scare tactics as a thinly obfuscated attempt to sell software that won't actually fix the problem.

        A single http request with a specially crafted cookie from a Web browser with an extension to allow modification of cookies is a far cry from a single packet sent by a normal Web browser. Checkpoint know the difference and have made that statement to confuse and terrify those who don't.

        It's difficult enough to get people to take security seriously without this sort of marketing shenanigans.

        I'm not just singling out checkpoint here, there are many others who have also done this sort of thing.

    2. Dan 55 Silver badge

      Add the offending cookie to the browser's cookie jar then go to the gateway address I suppose. I'm sure there'll be Firefox and Chrome add-on that will let you add/edit cookies.

  5. edge_e
    Happy

    shields up!

    you can see if you've exposed to this here

    https://www.grc.com/x/ne.dll?bh0bkyd2

    Merry Christmas

    1. Steven Raith

      Re: shields up!

      Handy - my Draytek 2830 on the latest firmware had this open by default, extremely annoyingly.

      Just disabled it in management.

      Dunno why it's on by default - from the internet if you don't mind.

      1. P. Lee

        Re: shields up!

        Ha! Apparently my netgear doesn't have enough features to be vulnerable.

        Surely the TR* stuff should be disabled once you're no long in factory default settings?

        1. Steven Raith

          Re: shields up!

          That's what I thought about the Draytek. I can't see why it would be on by default, unless there is an expectation that 50%+ of customers would be using TR069 to manage them; given it's a SOHO/SMB device, I'd find this unlikely meself, but then I could be wrong.

          Still, fixed now, and it prompted me to update me firmware so not grumbling too hard.

  6. Chris Gray 1
    Meh

    Direct URL

    That page uses tons of evil Javascript from all over the place. Looking at the page source, I see the URL to the actual information is:

    http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf

    I'm happy to say that my router is not on the list.

  7. Anonymous Coward
    Anonymous Coward

    TR069?

    "most devices listen publicly on port 7547 to receive instructions from ISPs via the TR-069"

    Really?

    I'd have said the number actively using TR069, at least in the UK, was negligible, but I'm happy to be proved wrong (it's been a few years since I actively followed this stuff).

    And why does TR069 need a listening port open on customer premises anyway, why can't this mechanism be implemented with the ISP doing the listening and the customer router doing an outgoing connect from time to time?

    However, as another reader just found, you'd perhaps do well to check what ports/services are open on the internet-facing side of your router, and shut up any that you don't want.

  8. The Vociferous Time Waster

    Omfg noobs

    my slackware gaming rig is running my nat with iptables and zone alarm pro and I have 14 different embedded devices all behind sonicwall hardware firewalls so I don't see the problem.

    Mainly because I lack empathy and don't see that there are people for whom computing is a means to and end rather than the meaning of existence.

  9. hazzamon

    Handy tip...

    To see if your router/modem is running a vulnerable version of RomPager, run Wireshark and access the device's configuration page.

    Look for a HTTP/1.1 200 OK packet, inside that will be listed the server version, eg:

    Server: RomPager/4.07 UPnP/1.0

    Which suggests my modem is vulnerable, bugger. Time to get a different one methinks. Good job it's separate from the router.

    Then again, would my modem even be reachable from the internet if it's running in PPPoE bridge mode? Wouldn't the PPPoE-encapsulated packets get sent straight to the router without the modem even bothering to look at them?

    1. Anonymous Coward
      Joke

      Re: Handy tip...

      Thank you for that tip. I did it the ocular way but knowing to fire up WireShark for this is much handier. And, for some strange reason, the piece-of-crap Comcast provided router isn't, repeat isn't, subject to this vulnerability. Way to Fail to Fail, Comcast.

    2. Craig Chambers

      Re: Handy tip...

      Err, or just...

      curl -I your-router-IP-address

      No messing with Wireshark needed.

      FWIW...

      craigchambers@microserver:~$ curl -I IP_Address

      HTTP/1.0 400 Bad Request

      Server: Speed Touch WebServer/1.0

      Content-Type: text/html

      Content-Length: 57

  10. JamesTQuirk

    Last Night, my home network was attacked, one machine, which is always online ( Transfer Time: 175 Days 22:44 Hours (99.8%)), running Clamwin or win ver of Linux ClamTK, was knocked offline, but not compromised, However the HP DV6 I7, went nuts all of a sudden, fans kicked up, the trackpad started to glow red ... I thought "what u doin", and managed to catch Cryptolocker @ Work, Process explorer killed its processes & desendants, msconfig removed startups, stopped machine, pulled HDD, replace it with fresh one & rebuilt HP, but with Clamwin, So I have a 320gb HDD here with cryptolocker half way thru its nasty, all files on drive are accessible under Xubuntu as ext USB, Windows security is a laugh !

    So if I can disassemble this thing & work out how it talks backs to them, & send it back to them dressed the way they expect, How many zero's should I add to his ransom ?

    However what I would like to mention about routers, now I have 2, Home Net, and NBN main, when I ask NBN about firmware updates, they had no clue ..

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      "Windows security is a laugh !"

      Windows security is fine. Cryptolocker / Cryptowall rely on stupid users opening disguised executables and are not remote exploits.

      The platform most vulnerable to full remote attacks is actually Linux - for instance the Synlocker Cypto Virus.

      1. JamesTQuirk

        I was talking about how, now its a ext usb drive, when I plug it in to linux, I can see EVERY FILE on it, no special forensics required, including the Windows Secured "password" file ............

        I have captured 3 .exe from drive, but still haven't found how it was inserted into system, but found file it unpacked from, I Think, so far, and it's a flash animation I looked at, on a site, or @ that same time, still sorting this out, eyes sore from reading ascii disassembly screens, but I am still on the case ....

  11. Anon5000

    So many words - So little info

    Really annoying to see a whole website full of loads of text that tells you nothing that could not have been said with just two sentences. Even advisories that give explicit details are a tenth of the size of all this twaddle.

    It aint Shellshock or Heartbleed. Maybe a drip of a nosebleed.

  12. Grease Monkey Silver badge
    Pint

    So the vuln is in the web server on the router? How many home routers allow access to the web management server on the WAN interface? Most only allow access from the LAN side. So doesn't the presuppose that the attacker has access to your LAN? In which case you're already in trouble.

    Or maybe I'm missing something because its lunch time at 2 hours before COB for the year.

    1. Alan Brown Silver badge

      "Most only allow access from the LAN side."

      As pointed out in TFA, affected boxes listen on port 7457 WANside, even if you think you've disabled WANside listeners.

  13. Mark Allen

    Hopeless list of affected hardware

    What is the point of a list of "affected hardware" if they don't include the firmware versions?

  14. Alistair

    SmartRg DSL modem -- cleared.

    Not vulnerable.

    Also -- if you *do* use Steve's site, please remember that you have to SPECIFY the port - his default scans only go up through 1024.

  15. JamesTQuirk

    Or another Scary thought is with these holes, running a OS under Visualization, a cut down, built for Job Distro, DSL is @ 50meg stock Version, ready to internet, BUT say like an example a the "Tiny Core Project" can produce, an 12MB FLTK/FLWM desktop.

    If u can cut that down further, and run bash Scripts .... ON a say 8core,32gb, sata ssd System, lucky to have a fibre 100MBsx40MBs internet, I think a sub 5-6 meg iso style file, which would DOWNLOAD in milliseconds, could contain, a whole other OS, running in Back ground VM Process, before you could blink, it could be unpacking, & then be lying doggo, waiting .....

    (My choice be a VM of a newer DOS Based, BAT file driven Monster, prob under 2-3 meg, Easier to hide in windows coop ..)

    Why I switch it off Visualization in bios on my Online machines & have 2 networks, TRUE home, & other internet capable, things only moved between networks on USB drives, after careful inspection..

    1. JamesTQuirk

      Uuuuuund, Merry Christmas, I got the bugger I hope, it came to last night, I made a .ISO out of 320gb, run in a VM under linux, let it run it’s course, with me watching, about a hour ago the VM got the demand, BUT I was watching VM whole time, I Have them now …..

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like