Mitigating measures for Misfortune Cookie

Posted on 2015-01-07
Last Modified: 2015-01-20
If our IPS doesn't have the signatures yet, what interim mitigating measures we can undertake?

==================detailed description =====================

 Misfortune Cookie vulnerability (CVE-2014-9222) affecting RomPager software component (versions before 4.34) from AllegroSoft:

 This software is embedded in firmware used by millions of residential gateway (SOHO router) devices from different models and makers. Although the vulnerability was addressed by AllegroSoft in 2005, Check Point research reported that approximately 12 million readily exploitable unique devices connected to the internet present in 189 countries across the globe. The result was measured based on scans of ports 80 and 7547 for the vulnerable software. Check Point provided a list of suspected-vulnerable residential gateway models for reference. (


The vulnerability allows an attacker to execute arbitrary code remotely and take over the device with administrative privileges. With administrative access to the gateway, attackers have the ability to directly monitor connections and identifiers belonging to your devices. Attackers can also set the stage for further attacks, such as installing malware on devices and making permanent configuration changes to bypass any firewall or isolation functionality previously provided by the gateway resulting in networked devices (eg. computers, phones, tablets, printers, security cameras)  having increased risk of compromise. For example, an attacker can try to access your home webcam (potentially using default credentials) or extract data from your business NAS backup drive.

Although the vulnerable RomPager software are prevalent in residential gateways, it could also be used in embedded devices like printers, digital media devices, routers, RAID disk arrays, UPS systems, automated building control systems, and remote access servers. According to AllegroSoft’s website, some of the major equipment vendors using RomPager are listed below.

·         Brocade, APC, 3Com, Schneider Electric, Konica Minolta, Kronos, Nortel Networks, Xerox, D-Link Systems, Inc., Intel, Cisco


Question by:sunhux
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 63

Assisted Solution

btan earned 500 total points
ID: 40537632
Regardless, there is still need to patch but you may want to make sure what the device exposing the port such as CWMP port and especially those still in public boundary and internet facing. It is either a disable by FW or restrict to only trusted IP range that is profiled to be the common pool that is coming - if that is viable. Maybe should take separate ISP (need their advice) route to these vulnerable device if that is even viable. The pdf link does share the measures which you may want to consider specifically like (in brief)

- Monitoring for unexpected configuration changes
- Changes in devices administrator credentials, and other important settings can indicate compromise
- Block, or restrict and concurrently monitor for TR-069/CWMP traffic from blacklist and untrusted ip ranges
- Enforce SSL/TLS for management and lockdown to disallow unencrypted channel to those management port
- Harden the all discovered machine and turning off unnecessary service (like DNS and http etc), review the patch version

Author Comment

ID: 40537944
What's the severity of this vulnerability?  

Various IPS vendors assign Critical, High, Medium, Low & I have different SLA timings to
address them.  So will be good to know the severity & likelihood of being compromised
LVL 63

Assisted Solution

btan earned 500 total points
ID: 40538040
For CVE-2014-9222, we should align with CVSS value since it is recognised as "standard" benchmark which is where this CVE is derived, tracked and assigned. But do note CVSS is undergoing a change from v2 (current) to v3 (now in preview).

e.g. CVSS v2 Base Score: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)

in fact CVSS stated 10/10 which is the most severe rating so regardless what term (such as critical or severe) is used by various parties, we should treat it with highest priority esp if enterprise has this vulnerable already exposed
Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations


Author Comment

ID: 40538179
Someone gave the following assessment;  do you think it's sufficient?

This vulnerability uses Tcp 80 and 7547
Our Cisco devices have no remote access.

GUI access for F5, Firewall & Packet Shaper are all via https only.
Hence we are secured & no further action needed.

Author Comment

ID: 40538196
Wow, severity of 10/10 : as severe as GNU Bash.

"GNU Bash" triggers very little events but it's precisely its low activity that makes it less noticeable
but more dangerous.  We've got nothing from IPS vendors till now
LVL 63

Accepted Solution

btan earned 500 total points
ID: 40539285
By default, if the port or service is not necessary, it should be disabled so even internet scanning cannot (at least) know the  port existence and start playing around with it. in fact, for management of any network security devices are best not to do it remotely and if really need to it is via VPN and with 2FA. So if those port are required (not only for management), it can still be exploited but primarily we are more concerned of the CWMP port 7547. More devices are having this port enabled, including VOIP phones, webcams and set-top cable boxes/DVRs as shared in release of vulnerability news.

Considering below too:
- Use a non-standard port for CWMP to minimise scans from discovering CWMP devices automatically
- Reconfigure CWMP networks to use private non-routable internet RFC 1918 addresses
- Block CWMP port access from outside the network

We may also consider secure SSL/TLS too but dependent if that is supported or enabled, furthermore, we know the saga about the Heartbleed and Poodle too, so it is not sure guarantee for safeguard .. we just talking about mitigation and not remediation which is to patch and close gap.

I am not surprise there is no signature yet since it can be protocol centric, not sure though but minimally scanning of those port should be shield off where possible by FW etc...checkpoint came out with signature though. Also to note, I believe there are more related CVEs besides just CVE-2014-9222 (RomPager Authentication Security Bypass –MisfortuneCookie), such as

TR-069 Auto Configuration Servers Multiple Vulnerabilities
CVE-2014-2840, CVE-2014-4956, CVE-2014-4916, CVE-2014-4917, CVE-2014-4918, CVE-2014-4957

RomPager Authorization Buffer Overflow Denial of Service

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Smart phones, smart watches, Bluetooth-connected devices—the IoT is all around us. In this article, we take a look at the security implications of our highly connected world.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question