Mitigating measures for Misfortune Cookie

Posted on 2015-01-07
Medium Priority
Last Modified: 2015-01-20
If our IPS doesn't have the signatures yet, what interim mitigating measures we can undertake?

==================detailed description =====================

 Misfortune Cookie vulnerability (CVE-2014-9222) affecting RomPager software component (versions before 4.34) from AllegroSoft:

 This software is embedded in firmware used by millions of residential gateway (SOHO router) devices from different models and makers. Although the vulnerability was addressed by AllegroSoft in 2005, Check Point research reported that approximately 12 million readily exploitable unique devices connected to the internet present in 189 countries across the globe. The result was measured based on scans of ports 80 and 7547 for the vulnerable software. Check Point provided a list of suspected-vulnerable residential gateway models for reference. (http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf)


The vulnerability allows an attacker to execute arbitrary code remotely and take over the device with administrative privileges. With administrative access to the gateway, attackers have the ability to directly monitor connections and identifiers belonging to your devices. Attackers can also set the stage for further attacks, such as installing malware on devices and making permanent configuration changes to bypass any firewall or isolation functionality previously provided by the gateway resulting in networked devices (eg. computers, phones, tablets, printers, security cameras)  having increased risk of compromise. For example, an attacker can try to access your home webcam (potentially using default credentials) or extract data from your business NAS backup drive.

Although the vulnerable RomPager software are prevalent in residential gateways, it could also be used in embedded devices like printers, digital media devices, routers, RAID disk arrays, UPS systems, automated building control systems, and remote access servers. According to AllegroSoft’s website, some of the major equipment vendors using RomPager are listed below.

·         Brocade, APC, 3Com, Schneider Electric, Konica Minolta, Kronos, Nortel Networks, Xerox, D-Link Systems, Inc., Intel, Cisco





Question by:sunhux
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 64

Assisted Solution

btan earned 2000 total points
ID: 40537632
Regardless, there is still need to patch but you may want to make sure what the device exposing the port such as CWMP port and especially those still in public boundary and internet facing. It is either a disable by FW or restrict to only trusted IP range that is profiled to be the common pool that is coming - if that is viable. Maybe should take separate ISP (need their advice) route to these vulnerable device if that is even viable. The pdf link does share the measures which you may want to consider specifically like (in brief)

- Monitoring for unexpected configuration changes
- Changes in devices administrator credentials, and other important settings can indicate compromise
- Block, or restrict and concurrently monitor for TR-069/CWMP traffic from blacklist and untrusted ip ranges
- Enforce SSL/TLS for management and lockdown to disallow unencrypted channel to those management port
- Harden the all discovered machine and turning off unnecessary service (like DNS and http etc), review the patch version

Author Comment

ID: 40537944
What's the severity of this vulnerability?  

Various IPS vendors assign Critical, High, Medium, Low & I have different SLA timings to
address them.  So will be good to know the severity & likelihood of being compromised
LVL 64

Assisted Solution

btan earned 2000 total points
ID: 40538040
For CVE-2014-9222, we should align with CVSS value since it is recognised as "standard" benchmark which is where this CVE is derived, tracked and assigned. But do note CVSS is undergoing a change from v2 (current) to v3 (now in preview).

e.g. CVSS v2 Base Score: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)

in fact CVSS stated 10/10 which is the most severe rating so regardless what term (such as critical or severe) is used by various parties, we should treat it with highest priority esp if enterprise has this vulnerable already exposed
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI


Author Comment

ID: 40538179
Someone gave the following assessment;  do you think it's sufficient?

This vulnerability uses Tcp 80 and 7547
Our Cisco devices have no remote access.

GUI access for F5, Firewall & Packet Shaper are all via https only.
Hence we are secured & no further action needed.

Author Comment

ID: 40538196
Wow, severity of 10/10 : as severe as GNU Bash.

"GNU Bash" triggers very little events but it's precisely its low activity that makes it less noticeable
but more dangerous.  We've got nothing from IPS vendors till now
LVL 64

Accepted Solution

btan earned 2000 total points
ID: 40539285
By default, if the port or service is not necessary, it should be disabled so even internet scanning cannot (at least) know the  port existence and start playing around with it. in fact, for management of any network security devices are best not to do it remotely and if really need to it is via VPN and with 2FA. So if those port are required (not only for management), it can still be exploited but primarily we are more concerned of the CWMP port 7547. More devices are having this port enabled, including VOIP phones, webcams and set-top cable boxes/DVRs as shared in release of vulnerability news.

Considering below too:
- Use a non-standard port for CWMP to minimise scans from discovering CWMP devices automatically
- Reconfigure CWMP networks to use private non-routable internet RFC 1918 addresses
- Block CWMP port access from outside the network

We may also consider secure SSL/TLS too but dependent if that is supported or enabled, furthermore, we know the saga about the Heartbleed and Poodle too, so it is not sure guarantee for safeguard .. we just talking about mitigation and not remediation which is to patch and close gap.

I am not surprise there is no signature yet since it can be protocol centric, not sure though but minimally scanning of those port should be shield off where possible by FW etc...checkpoint came out with signature though. Also to note, I believe there are more related CVEs besides just CVE-2014-9222 (RomPager Authentication Security Bypass –MisfortuneCookie), such as

TR-069 Auto Configuration Servers Multiple Vulnerabilities
CVE-2014-2840, CVE-2014-4956, CVE-2014-4916, CVE-2014-4917, CVE-2014-4918, CVE-2014-4957

RomPager Authorization Buffer Overflow Denial of Service

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question