Executive Summary

Summary
Title Multiple broadband routers use vulnerable versions of Allegro RomPager
Informations
Name VU#561444 First vendor Publication 2014-12-19
Vendor VU-CERT Last vendor Modification 2015-01-08
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#561444

Multiple broadband routers use vulnerable versions of Allegro RomPager

Original Release date: 19 Dec 2014 | Last revised: 08 Jan 2015

Overview

Multiple broadband routers use vulnerable versions of Allegro RomPager in current firmware releases.

Description

Many home and office/home office (SOHO) routers have been found to be using vulnerable versions of the Allegro RomPager embedded web server. Allegro RomPager versions prior to 4.34 contain a vulnerability in cookie processing code that can be leveraged to grant attackers administrative privileges on the device. According to Check Point's advisory, the vulnerability was addressed by Allegro in 2005 but is present in current or recent firmware releases of many devices.

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code on the device.

Solution

Apply an update

Check vendor websites for a firmware update that addresses this issue and apply it if available.

Use third-party firmware

Technical users may consider flashing to third-party firmware such as that provided by dd-wrt, openwrt, or others. Note that this action may invalidate device warranties.

Disable WAN services

If possible, disable services that listen for HTTP or HTTPS connections on the device's WAN side.

Vendor Information (Learn More)

Check Point Software Technologies has published a list of devices (PDF) suspected of being vulnerable. We will update the Vendor Information section below as more information becomes available.

VendorStatusDate NotifiedDate Updated
Allegro Software Development CorporationNot Affected19 Dec 201419 Dec 2014
PeplinkNot Affected-08 Jan 2015
D-Link Systems, Inc.Unknown-19 Dec 2014
Huawei TechnologiesUnknown-19 Dec 2014
LinksysUnknown-19 Dec 2014
NetComm Wireless LimitedUnknown-19 Dec 2014
TP-LINKUnknown19 Dec 201419 Dec 2014
ZTE CorporationUnknown-19 Dec 2014
ZyXELUnknown-19 Dec 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base10.0AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal8.5E:POC/RL:W/RC:C
Environmental6.4CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • http://mis.fortunecook.ie/
  • http://mis.fortunecook.ie/misfortune-cookie-tr069-protection-whitepaper.pdf
  • http://en.wikipedia.org/wiki/List_of_wireless_router_firmware_projects
  • https://www.allegrosoft.com/allegro-software-urges-manufacturers-to-maintain-firmware-for-highest-level-of-embedded-device-security/news-press.html
  • http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf

Credit

Thanks to Shahar Tal of Check Point Software Technologies for reporting this vulnerability.

This document was written by Joel Land.

Other Information

  • CVE IDs:CVE-2014-9222
  • Date Public:19 Dec 2014
  • Date First Published:19 Dec 2014
  • Date Last Updated:08 Jan 2015
  • Document Revision:24

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/561444

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-17 Code

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Snort® IPS/IDS

Date Description
2018-04-12 Potential Misfortune Cookie probe attempt
RuleID : 45886 - Revision : 2 - Type : SERVER-WEBAPP

Nessus® Vulnerability Scanner

Date Description
2014-12-30 Name : The remote host is affected by multiple remote code execution vulnerabilities.
File : allegro_software_rompager_misfortune_cookie.nasl - Type : ACT_ATTACK
2014-12-24 Name : The remote host is affected by multiple remote code execution vulnerabilities.
File : allegro_software_rompager_webserver.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
Date Informations
2015-01-08 17:24:20
  • Multiple Updates
2014-12-31 13:26:16
  • Multiple Updates
2014-12-29 21:27:53
  • Multiple Updates
2014-12-24 21:27:34
  • Multiple Updates
2014-12-24 13:25:34
  • Multiple Updates
2014-12-20 00:21:31
  • First insertion