A vulnerability opens over 12 million routers around the world to remote compromise, researchers said.
“The Misfortune Cookie vulnerability is due to an error within the HTTP cookie management mechanism present in the affected software, allowing an attacker to determine the ‘fortune’ of a request by manipulating cookies,” said researchers at Check Point.
“Attackers can send specially crafted HTTP cookies that exploit the vulnerability to corrupt memory and alter the application and system state,” the researchers said in blog post. “This, in effect, can trick the attacked device to treat the current session with administrative privileges — to the misfortune of the device owner.”
“All an attacker needs in order to exploit Misfortune Cookie is to send a single packet to your public IP address. No hacking tools required, just a simple modern browser,” they said.
Once the device ends up compromised, the attacker can monitor the victims’ Internet connection and steal their credentials, personal and business data. The attacker could be in a nice position to compromise any other device connected to that network. The devices usually operate in the SOHO market.
Introduced in 2002, the vulnerability is in the embedded web server RomPager made by AllegroSoft, a widely embedded in firmware of routers by different manufacturers. The researchers don’t believe it to be an intentionally included backdoor.
After they discovered the flaw and notified AllegroSoft of it, the company told them they issued a fixed version to address the Misfortune Cookie vulnerability in 2005.
This version was provided to licensed manufacturers, but it is well known “the patch propagation cycle, however, is incredibly slow (sometimes non-existent) with these types of devices.”
As a result, devices today still ship with the vulnerable version in place. The researchers provided a list of suspected vulnerable router models, manufactured by TP-Link, Huawei, SmartAX, Zyxel, Netcomm, Edimax, and other companies.