Solved

Mitigating measures for Misfortune Cookie

Posted on 2015-01-07
6
237 Views
Last Modified: 2015-01-20
If our IPS doesn't have the signatures yet, what interim mitigating measures we can undertake?

==================detailed description =====================

 Misfortune Cookie vulnerability (CVE-2014-9222) affecting RomPager software component (versions before 4.34) from AllegroSoft:

 This software is embedded in firmware used by millions of residential gateway (SOHO router) devices from different models and makers. Although the vulnerability was addressed by AllegroSoft in 2005, Check Point research reported that approximately 12 million readily exploitable unique devices connected to the internet present in 189 countries across the globe. The result was measured based on scans of ports 80 and 7547 for the vulnerable software. Check Point provided a list of suspected-vulnerable residential gateway models for reference. (http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf)

 

The vulnerability allows an attacker to execute arbitrary code remotely and take over the device with administrative privileges. With administrative access to the gateway, attackers have the ability to directly monitor connections and identifiers belonging to your devices. Attackers can also set the stage for further attacks, such as installing malware on devices and making permanent configuration changes to bypass any firewall or isolation functionality previously provided by the gateway resulting in networked devices (eg. computers, phones, tablets, printers, security cameras)  having increased risk of compromise. For example, an attacker can try to access your home webcam (potentially using default credentials) or extract data from your business NAS backup drive.

 
Although the vulnerable RomPager software are prevalent in residential gateways, it could also be used in embedded devices like printers, digital media devices, routers, RAID disk arrays, UPS systems, automated building control systems, and remote access servers. According to AllegroSoft’s website, some of the major equipment vendors using RomPager are listed below.

·         Brocade, APC, 3Com, Schneider Electric, Konica Minolta, Kronos, Nortel Networks, Xerox, D-Link Systems, Inc., Intel, Cisco

 
 

References:

http://mis.fortunecook.ie/

https://www.us-cert.gov/ncas/current-activity/2014/12/20/Misfortune-Cookie-Broadband-Router-Vulnerability

https://www.allegrosoft.com/allegro-software-urges-manufacturers-to-maintain-firmware-for-highest-level-of-embedded-device-security/news-press.html
0
Comment
Question by:sunhux
  • 3
  • 3
6 Comments
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 40537632
Regardless, there is still need to patch but you may want to make sure what the device exposing the port such as CWMP port and especially those still in public boundary and internet facing. It is either a disable by FW or restrict to only trusted IP range that is profiled to be the common pool that is coming - if that is viable. Maybe should take separate ISP (need their advice) route to these vulnerable device if that is even viable. The pdf link does share the measures which you may want to consider specifically like (in brief)

- Monitoring for unexpected configuration changes
- Changes in devices administrator credentials, and other important settings can indicate compromise
- Block, or restrict and concurrently monitor for TR-069/CWMP traffic from blacklist and untrusted ip ranges
- Enforce SSL/TLS for management and lockdown to disallow unencrypted channel to those management port
- Harden the all discovered machine and turning off unnecessary service (like DNS and http etc), review the patch version
0
 

Author Comment

by:sunhux
ID: 40537944
What's the severity of this vulnerability?  

Various IPS vendors assign Critical, High, Medium, Low & I have different SLA timings to
address them.  So will be good to know the severity & likelihood of being compromised
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 40538040
For CVE-2014-9222, we should align with CVSS value since it is recognised as "standard" benchmark which is where this CVE is derived, tracked and assigned. But do note CVSS is undergoing a change from v2 (current) to v3 (now in preview).

e.g. CVSS v2 Base Score: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9222

in fact CVSS stated 10/10 which is the most severe rating so regardless what term (such as critical or severe) is used by various parties, we should treat it with highest priority esp if enterprise has this vulnerable already exposed
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:sunhux
ID: 40538179
Someone gave the following assessment;  do you think it's sufficient?

This vulnerability uses Tcp 80 and 7547
Our Cisco devices have no remote access.

GUI access for F5, Firewall & Packet Shaper are all via https only.
Hence we are secured & no further action needed.
0
 

Author Comment

by:sunhux
ID: 40538196
Wow, severity of 10/10 : as severe as GNU Bash.

"GNU Bash" triggers very little events but it's precisely its low activity that makes it less noticeable
but more dangerous.  We've got nothing from IPS vendors till now
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40539285
By default, if the port or service is not necessary, it should be disabled so even internet scanning cannot (at least) know the  port existence and start playing around with it. in fact, for management of any network security devices are best not to do it remotely and if really need to it is via VPN and with 2FA. So if those port are required (not only for management), it can still be exploited but primarily we are more concerned of the CWMP port 7547. More devices are having this port enabled, including VOIP phones, webcams and set-top cable boxes/DVRs as shared in release of vulnerability news.

Considering below too:
- Use a non-standard port for CWMP to minimise scans from discovering CWMP devices automatically
- Reconfigure CWMP networks to use private non-routable internet RFC 1918 addresses
- Block CWMP port access from outside the network

We may also consider secure SSL/TLS too but dependent if that is supported or enabled, furthermore, we know the saga about the Heartbleed and Poodle too, so it is not sure guarantee for safeguard .. we just talking about mitigation and not remediation which is to patch and close gap.

I am not surprise there is no signature yet since it can be protocol centric, not sure though but minimally scanning of those port should be shield off where possible by FW etc...checkpoint came out with signature though. Also to note, I believe there are more related CVEs besides just CVE-2014-9222 (RomPager Authentication Security Bypass –MisfortuneCookie), such as

TR-069 Auto Configuration Servers Multiple Vulnerabilities
CVE-2014-2840, CVE-2014-4956, CVE-2014-4916, CVE-2014-4917, CVE-2014-4918, CVE-2014-4957

RomPager Authorization Buffer Overflow Denial of Service
CVE-2014-9223
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Suggested Solutions

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now