Misfortune Cookie / RomPager Vulnerabilitily - Allegro RomPager Vulnerability / rom-0 Athentication Bypass

Tuesday 14 July 2015 14:25

Overview

A 3rd party has reported the webserver software, AllegroSoft RomPager 4.34 and earlier, used to configure devices via web browser, may allow a malicious user to gain access to a affected device and it's configuration. The exploit for this vulnerability is executed by sending a specially crafted web browser cookie which triggers memory corruption and halts the device's running software. If the device's software halts, it may result in access to its operating system's command prompt. Until mid-2014, the vulnerability is known as the Rom-0 or RomPager Vulnerability, it was then sensationalised as the "Misfortune Cookie" vulnerability by Check Point, Inc.

Most models are carrier specific with carrier certified firmware. End-users of D-Link gateways that received the device from their carrier will receive patches automatically from their carrier.

Other affected devicesl are listed below with the relevant firmwares addressing this vulnerability.

References

CVE-2014-9222 :: Rompager Misfortune Cookie Vulnerability :: ((https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9222))

CVE-2014-9223 :: Rompager Digest Buffer Overflow Vulnerability :: ((https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9223))

Check Point Software Technologies :: Misfortune Cookie Reference  :: https://www.checkpoint.com/downloads/partners/Misfortune_Cookie_FAQ.pdf 
+1-917-754-3013 :: [email protected]

Description

In order to maintain 3rd party's intent of the disclosure please reference the original  disclosure at:  http://www.kb.cert.org/vuls/id/561444

Based on the frequent updates and detailed information offered by Check Point Technologies, we ask technical users to consult the link above for the best accuracy.

General Recommendations

All devices on your network should have log-in credentials. If your network has Wi-Fi, please make sure Wi-Fi encryption-keys are enabled. Also for devices that cannot notify the owner of a new software updates, check for updates from the devices manufacture.

Immediately update to the fixed firmware referenced in the table below as they are made available. Please continue to monitor this page for further updates and disclosures.

D-Link recommend your D-Link router remote network management feature disabled (factory default is disabled) to mitigate a malicious remote user using this vulnerability to exploit your router.  If remote network management is disabled, a malicious user would require to be on the local network side of the router or have compromised another device on the network that could be used to attack the router.

D-Link recommends all PCs (Window or Mac) are up-to-date and scanned for virus, bots, or other damaging software that could compromise the network they are connected.

Wi-Fi encryption reduces the risk to this vulnerability if the device Web-GUI is accessed over Wi-Fi. If Wi-Fi network was encrypted, the malicious user would also need to compromise the Wi-Fi encryption, or PC using the Web-GUI utility, in order to monitor the traffic and intercept the cookie. 

The default configuration of D-Link's routers is to provide simple installation, ease of usability, and offer widest interoperability. D-Link reminds customers to configure their devices specifically to the for security concerns with in their network infrastructure. In General, D-Link recommends disabling services not being used, changing/securing device log-in credentials, enable Wi-Fi encryption, monitor the routers log files, and access-lists for your devices so security risks for your entire network are minimised.

Affected Product 

Model Name

HW Version

FW Version Fix for Exploit

DSL-320B

Z1 

FW: 1.06

(Updated 19/08/2015)

DSL-321B

Z1

FW: 1.14

(Updated 14/07/2015) 

DSL-2640R

B1 

FW: 1.20

(Updated 07/07/2016) 

DSL-2641R

B1

FW: 1.12

(Updated 10/08/2015) 

DSL-2680

A1

/UK FW: 1.02
/EU FW: 1.04

(Updated 07/07/2016)

DSL-2740R

A1

FW: 1.17

(Updated 07/07/2016) 

GO-DSL-N151

U1

FW: 1.07

(Updated 14/07/2015)

Security patch for your D-Link Devices

These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.

As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.

 

Share

Press Contacts