Vulnerability in embedded Web server exposes millions of routers to hacking

Attackers can take control of millions of routers by sending a specially crafted request to RomPager, an embedded Web server running on them

A serious vulnerability in an embedded Web server used by many router models from different manufacturers allows remote attackers to take control of affected devices over the Internet.

A compromised router can have wide-ranging implications for the security of home and business networks as it allows attackers to sniff inbound and outbound traffic and provides them with a foothold inside the network from where they can launch attacks against other systems. It also gives them a man-in-the-middle position to strip SSL (Secure Sockets Layer) from secure connections and hijack DNS (Domain Name System) settings to misrepresent trusted websites.

The new vulnerability was discovered by researchers from Check Point Software Technologies and is located in RomPager, an embedded Web server used by many routers to host their Web-based administration interfaces.

RomPager is developed by a company called Allegro Software Development and is sold to chipset manufacturers which then bundle it in their SDKs (software development kits) that are used by router vendors when developing the firmware for their products.

The vulnerability has been dubbed Misfortune Cookie and is being tracked as CVE-2014-9222 in the Common Vulnerabilities and Exposures database. It can be exploited by sending a single specifically crafted request to the RomPager server.

"Attackers can send specially crafted HTTP cookies that exploit the vulnerability to corrupt memory and alter the application and system state," the Check Point researchers said on a website created to present the flaw. "This, in effect, can trick the attacked device to treat the current session with administrative privileges -- to the misfortune of the device owner."

The flaw can be exploited by a remote attacker even if the device is not configured to expose its Web-based administration interface to the Internet, making the vulnerability much worse, said Shahar Tal, a security researcher at Check Point.

That's because many routers, especially those that ISPs provisioned to their customers, are configured to listen for connection requests on port 7547 as part of a remote management protocol called TR-069 or CWMP (Customer Premises Equipment WAN Management Protocol).

ISPs send a request to customer devices on port 7547, or another preconfigured port number, when they want those devices to initiate a connection back to their Auto Configuration Servers (ACS). ISPs use these ACS servers to reconfigure customer devices, monitor them for faults or malicious activity, run diagnostics and even upgrade their firmware.

The initial TR-069 request on port 7547 is processed by the device's embedded Web server -- which in many cases is RomPager -- and can be used to exploit the Misfortune Cookie flaw regardless of whether the Web-based administration Interface is configured to be accessible from the Internet or not, Tal explained.

"While the proliferation of devices managed by TR-069 is responsible for creating a very large vulnerable client population, Misfortune Cookie is not a vulnerability related to the TR-069/CWMP per se," the Check Point researchers said. "Misfortune Cookie affects any implementation of a service using the old version of RomPager's HTTP parsing code, on port 80, 8080, 443, 7547, and others."

While many users have probably never heard of it, RomPager is actually among the most widely used Web server software in the world. A 2013 scan of the Internet by HD Moore, the chief security officer at Rapid7, found more RomPager deployments on unique IP (Internet Protocol) addresses than Apache, which is the most popular Web server when counting by hosted websites. In presentation materials on its site, Allegro claims that RomPager is used on over 75 million devices shipped by its customers around the world.

The Misfortune Cookie flaw only exists in RomPager versions older than 4.34 and was actually discovered and patched by Allegro itself back in 2005 following internal code reviews. However, many router models, including new ones released this year, still include old RomPager versions in their firmware, especially RomPager 4.07, according to Tal.

The Check Point researchers have identified around 200 router models from various manufacturers, including D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL, that are likely vulnerable. Based on Internet scans, they've detected almost 12 million unique devices in 189 countries that are directly exploitable over the Internet.

Check Point contacted several major router manufacturers whose products were affected, as well as Allegro. Some responded immediately, confirmed the problem and started working on firmware patches, but others didn't respond at all, the researchers said.

Unfortunately there's not much users can do to protect their routers aside from installing firmware patches when they become available and running firewalls on their computers to protect them against network attacks, Tal said.

ISPs that use TR-069/CWMP to manage customer devices can use the protocol to actually deploy firmware patches quicker. Check Point has released guidance for ISPs in a white paper.

The problem is that not only devices given by ISPs to customers are affected. According to Tal, there are routers that listen to requests on port 7547 by default, even though they are not configured for TR-069.