• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 301
  • Last Modified:

Mitigating measures for Misfortune Cookie

If our IPS doesn't have the signatures yet, what interim mitigating measures we can undertake?

==================detailed description =====================

 Misfortune Cookie vulnerability (CVE-2014-9222) affecting RomPager software component (versions before 4.34) from AllegroSoft:

 This software is embedded in firmware used by millions of residential gateway (SOHO router) devices from different models and makers. Although the vulnerability was addressed by AllegroSoft in 2005, Check Point research reported that approximately 12 million readily exploitable unique devices connected to the internet present in 189 countries across the globe. The result was measured based on scans of ports 80 and 7547 for the vulnerable software. Check Point provided a list of suspected-vulnerable residential gateway models for reference. (http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf)


The vulnerability allows an attacker to execute arbitrary code remotely and take over the device with administrative privileges. With administrative access to the gateway, attackers have the ability to directly monitor connections and identifiers belonging to your devices. Attackers can also set the stage for further attacks, such as installing malware on devices and making permanent configuration changes to bypass any firewall or isolation functionality previously provided by the gateway resulting in networked devices (eg. computers, phones, tablets, printers, security cameras)  having increased risk of compromise. For example, an attacker can try to access your home webcam (potentially using default credentials) or extract data from your business NAS backup drive.

Although the vulnerable RomPager software are prevalent in residential gateways, it could also be used in embedded devices like printers, digital media devices, routers, RAID disk arrays, UPS systems, automated building control systems, and remote access servers. According to AllegroSoft’s website, some of the major equipment vendors using RomPager are listed below.

·         Brocade, APC, 3Com, Schneider Electric, Konica Minolta, Kronos, Nortel Networks, Xerox, D-Link Systems, Inc., Intel, Cisco





  • 3
  • 3
3 Solutions
btanExec ConsultantCommented:
Regardless, there is still need to patch but you may want to make sure what the device exposing the port such as CWMP port and especially those still in public boundary and internet facing. It is either a disable by FW or restrict to only trusted IP range that is profiled to be the common pool that is coming - if that is viable. Maybe should take separate ISP (need their advice) route to these vulnerable device if that is even viable. The pdf link does share the measures which you may want to consider specifically like (in brief)

- Monitoring for unexpected configuration changes
- Changes in devices administrator credentials, and other important settings can indicate compromise
- Block, or restrict and concurrently monitor for TR-069/CWMP traffic from blacklist and untrusted ip ranges
- Enforce SSL/TLS for management and lockdown to disallow unencrypted channel to those management port
- Harden the all discovered machine and turning off unnecessary service (like DNS and http etc), review the patch version
sunhuxAuthor Commented:
What's the severity of this vulnerability?  

Various IPS vendors assign Critical, High, Medium, Low & I have different SLA timings to
address them.  So will be good to know the severity & likelihood of being compromised
btanExec ConsultantCommented:
For CVE-2014-9222, we should align with CVSS value since it is recognised as "standard" benchmark which is where this CVE is derived, tracked and assigned. But do note CVSS is undergoing a change from v2 (current) to v3 (now in preview).

e.g. CVSS v2 Base Score: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)

in fact CVSS stated 10/10 which is the most severe rating so regardless what term (such as critical or severe) is used by various parties, we should treat it with highest priority esp if enterprise has this vulnerable already exposed
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

sunhuxAuthor Commented:
Someone gave the following assessment;  do you think it's sufficient?

This vulnerability uses Tcp 80 and 7547
Our Cisco devices have no remote access.

GUI access for F5, Firewall & Packet Shaper are all via https only.
Hence we are secured & no further action needed.
sunhuxAuthor Commented:
Wow, severity of 10/10 : as severe as GNU Bash.

"GNU Bash" triggers very little events but it's precisely its low activity that makes it less noticeable
but more dangerous.  We've got nothing from IPS vendors till now
btanExec ConsultantCommented:
By default, if the port or service is not necessary, it should be disabled so even internet scanning cannot (at least) know the  port existence and start playing around with it. in fact, for management of any network security devices are best not to do it remotely and if really need to it is via VPN and with 2FA. So if those port are required (not only for management), it can still be exploited but primarily we are more concerned of the CWMP port 7547. More devices are having this port enabled, including VOIP phones, webcams and set-top cable boxes/DVRs as shared in release of vulnerability news.

Considering below too:
- Use a non-standard port for CWMP to minimise scans from discovering CWMP devices automatically
- Reconfigure CWMP networks to use private non-routable internet RFC 1918 addresses
- Block CWMP port access from outside the network

We may also consider secure SSL/TLS too but dependent if that is supported or enabled, furthermore, we know the saga about the Heartbleed and Poodle too, so it is not sure guarantee for safeguard .. we just talking about mitigation and not remediation which is to patch and close gap.

I am not surprise there is no signature yet since it can be protocol centric, not sure though but minimally scanning of those port should be shield off where possible by FW etc...checkpoint came out with signature though. Also to note, I believe there are more related CVEs besides just CVE-2014-9222 (RomPager Authentication Security Bypass –MisfortuneCookie), such as

TR-069 Auto Configuration Servers Multiple Vulnerabilities
CVE-2014-2840, CVE-2014-4956, CVE-2014-4916, CVE-2014-4917, CVE-2014-4918, CVE-2014-4957

RomPager Authorization Buffer Overflow Denial of Service
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now