Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Mitigating measures for Misfortune Cookie

Posted on 2015-01-07
Medium Priority
Last Modified: 2015-01-20
If our IPS doesn't have the signatures yet, what interim mitigating measures we can undertake?

==================detailed description =====================

 Misfortune Cookie vulnerability (CVE-2014-9222) affecting RomPager software component (versions before 4.34) from AllegroSoft:

 This software is embedded in firmware used by millions of residential gateway (SOHO router) devices from different models and makers. Although the vulnerability was addressed by AllegroSoft in 2005, Check Point research reported that approximately 12 million readily exploitable unique devices connected to the internet present in 189 countries across the globe. The result was measured based on scans of ports 80 and 7547 for the vulnerable software. Check Point provided a list of suspected-vulnerable residential gateway models for reference. (http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf)


The vulnerability allows an attacker to execute arbitrary code remotely and take over the device with administrative privileges. With administrative access to the gateway, attackers have the ability to directly monitor connections and identifiers belonging to your devices. Attackers can also set the stage for further attacks, such as installing malware on devices and making permanent configuration changes to bypass any firewall or isolation functionality previously provided by the gateway resulting in networked devices (eg. computers, phones, tablets, printers, security cameras)  having increased risk of compromise. For example, an attacker can try to access your home webcam (potentially using default credentials) or extract data from your business NAS backup drive.

Although the vulnerable RomPager software are prevalent in residential gateways, it could also be used in embedded devices like printers, digital media devices, routers, RAID disk arrays, UPS systems, automated building control systems, and remote access servers. According to AllegroSoft’s website, some of the major equipment vendors using RomPager are listed below.

·         Brocade, APC, 3Com, Schneider Electric, Konica Minolta, Kronos, Nortel Networks, Xerox, D-Link Systems, Inc., Intel, Cisco





Question by:sunhux
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 65

Assisted Solution

btan earned 2000 total points
ID: 40537632
Regardless, there is still need to patch but you may want to make sure what the device exposing the port such as CWMP port and especially those still in public boundary and internet facing. It is either a disable by FW or restrict to only trusted IP range that is profiled to be the common pool that is coming - if that is viable. Maybe should take separate ISP (need their advice) route to these vulnerable device if that is even viable. The pdf link does share the measures which you may want to consider specifically like (in brief)

- Monitoring for unexpected configuration changes
- Changes in devices administrator credentials, and other important settings can indicate compromise
- Block, or restrict and concurrently monitor for TR-069/CWMP traffic from blacklist and untrusted ip ranges
- Enforce SSL/TLS for management and lockdown to disallow unencrypted channel to those management port
- Harden the all discovered machine and turning off unnecessary service (like DNS and http etc), review the patch version

Author Comment

ID: 40537944
What's the severity of this vulnerability?  

Various IPS vendors assign Critical, High, Medium, Low & I have different SLA timings to
address them.  So will be good to know the severity & likelihood of being compromised
LVL 65

Assisted Solution

btan earned 2000 total points
ID: 40538040
For CVE-2014-9222, we should align with CVSS value since it is recognised as "standard" benchmark which is where this CVE is derived, tracked and assigned. But do note CVSS is undergoing a change from v2 (current) to v3 (now in preview).

e.g. CVSS v2 Base Score: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)

in fact CVSS stated 10/10 which is the most severe rating so regardless what term (such as critical or severe) is used by various parties, we should treat it with highest priority esp if enterprise has this vulnerable already exposed
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!


Author Comment

ID: 40538179
Someone gave the following assessment;  do you think it's sufficient?

This vulnerability uses Tcp 80 and 7547
Our Cisco devices have no remote access.

GUI access for F5, Firewall & Packet Shaper are all via https only.
Hence we are secured & no further action needed.

Author Comment

ID: 40538196
Wow, severity of 10/10 : as severe as GNU Bash.

"GNU Bash" triggers very little events but it's precisely its low activity that makes it less noticeable
but more dangerous.  We've got nothing from IPS vendors till now
LVL 65

Accepted Solution

btan earned 2000 total points
ID: 40539285
By default, if the port or service is not necessary, it should be disabled so even internet scanning cannot (at least) know the  port existence and start playing around with it. in fact, for management of any network security devices are best not to do it remotely and if really need to it is via VPN and with 2FA. So if those port are required (not only for management), it can still be exploited but primarily we are more concerned of the CWMP port 7547. More devices are having this port enabled, including VOIP phones, webcams and set-top cable boxes/DVRs as shared in release of vulnerability news.

Considering below too:
- Use a non-standard port for CWMP to minimise scans from discovering CWMP devices automatically
- Reconfigure CWMP networks to use private non-routable internet RFC 1918 addresses
- Block CWMP port access from outside the network

We may also consider secure SSL/TLS too but dependent if that is supported or enabled, furthermore, we know the saga about the Heartbleed and Poodle too, so it is not sure guarantee for safeguard .. we just talking about mitigation and not remediation which is to patch and close gap.

I am not surprise there is no signature yet since it can be protocol centric, not sure though but minimally scanning of those port should be shield off where possible by FW etc...checkpoint came out with signature though. Also to note, I believe there are more related CVEs besides just CVE-2014-9222 (RomPager Authentication Security Bypass –MisfortuneCookie), such as

TR-069 Auto Configuration Servers Multiple Vulnerabilities
CVE-2014-2840, CVE-2014-4956, CVE-2014-4916, CVE-2014-4917, CVE-2014-4918, CVE-2014-4957

RomPager Authorization Buffer Overflow Denial of Service

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question