Vulnerability in embedded Web server exposes millions of routers to hacking

Security

A serious vulnerability in an embedded Web server used by many router models from different manufacturers allows remote attackers to take control of affected devices over the Internet.

A compromised router can have wide-ranging implications for the security of home and business networks as it allows attackers to sniff inbound and outbound traffic and provides them with a foothold inside the network from where they can launch attacks against other systems. It also gives them a man-in-the-middle position to strip SSL (Secure Sockets Layer) from secure connections and hijack DNS (Domain Name System) settings to misrepresent trusted websites.

The new vulnerability was discovered by researchers from Check Point Software Technologies and is located in RomPager, an embedded Web server used by many routers to host their Web-based administration interfaces.

RomPager is developed by a company called Allegro Software Development and is sold to chipset manufacturers which then bundle it in their SDKs (software development kits) that are used by router vendors when developing the firmware for their products.

The vulnerability has been dubbed Misfortune Cookie and is being tracked as CVE-2014-9222 in the Common Vulnerabilities and Exposures database. It can be exploited by sending a single specifically crafted request to the RomPager server.

“Attackers can send specially crafted HTTP cookies that exploit the vulnerability to corrupt memory and alter the application and system state,” the Check Point researchers said on a website created to present the flaw. “This, in effect, can trick the attacked device to treat the current session with administrative privileges—to the misfortune of the device owner.”

The flaw can be exploited by a remote attacker even if the device is not configured to expose its Web-based administration interface to the Internet, making the vulnerability much worse, said Shahar Tal, a security researcher at Check Point.

Read more: PC World