A Router is often the last contact device in a network, that connects the entire network to external networks and the Internet. If the router is somehow compromised, it is easy to compromise all the devices – computers, printers, scanners and even smartphones – connected to it. The Misfortune Cookie has made around 12 million routers vulnerable, in 189 countries, since 2005 and patching it is difficult process, as there are many manufactures involved. This article explains what is the misfortune cookie syndrome and then compiles a list of affected router brands.
What is Misfortune Cookie vulnerability
According to CheckPoint,
“Misfortune cookie vulnerability is a critical vulnerability that allows a cyber criminal to take over a gateway remotely and use it to compromise all devices interconnected to that gateway.”
Further, the Checkpoint researchers say that the vulnerability is present on millions of devices all over the world – from different manufacturers and from different brands. The Misfortune Cookie allows any intruder to take over any network easily by using the vulnerability. It also says that exploits are already available in the deep Internet and people are actively using them for their own gains.
To date over 12 million devices have been detected as carrying this vulnerability!
Why name it Misfortune Cookie
In simple words, since it the vulnerability is based on a HTTP cookie and brings misfortune to the device owner, it is named Misfortune cookie in lines of fortune cookies.
To be more technical, Misfortune cookie is because of a fault in HTTP cookie management mechanism in the router/gateway software. This allows criminals to determine the vulnerability of connection request by sending different cookies to the gateway or the router. In most networks, the router is the gateway and hence the Checkpoint employs the word “gateway”.
“Attackers can send specially crafted HTTP cookies that exploit the vulnerability to corrupt memory and alter the application state. This, in effect, can trick the attacked device to treat the current session with administrative privileges – to the misfortune of the device owner.”
Is your Router affected by Misfortune Cookie?
The Misfortune cookie has affected many routers or other type of gateways that contain a certain type of software. This software, Rompager from AllegroSoft, is used by different manufacturers in building routers and hence the vulnerable devices are spread all over the world. The Rompager is embedded into the firmware of routers. The vulnerability has been present since 2005 and despite patches by Allegrosoft, many devices are still vulnerable as people (users) do not know of this vulnerability.
You have been compromised if you cannot get to the configuration page of the router. There are no other methods to identify if you have been affected. To know if you are vulnerable, check out the list of Misfortune Cookie Vulnerable Devices, towards the end of this post.
Protection & prevention against Misfortune Cookie
There is not much you can do on your own. You have to ask your vendor for a patch and then flash your firmware with the patched firmware. However, this is not much practical as many vendors have not created patches as yet, though the vulnerability is present from 2005 or prior.
Checkpoint asks you to use an exceptionally good firewall that may reduce your chances of being compromised. However, I do not understand how a firewall would prevent an intruder if he or she has already compromised your network gateway (router).
In short, you have to wait a little longer to get a patch from your vendor. Though Allegrosoft has issued both security advisory and patch, the vendors have been shipping vulnerable devices. This is a serious problem as you have to wait till the vendors issue the patch to its customers.
List of Misfortune Cookie Vulnerable Devices
| 110TC2 | Beetel | BW554 | SBS |
| 16NX073012001 | Nilox | C300APRA2+ | Conceptronic |
| 16NX080112001 | Nilox | Compact Router ADSL2+ | Compact |
| 16NX080112002 | Nilox | D-5546 | den-it |
| 16NX081412001 | Nilox | D-7704G | den-it |
| 16NX081812001 | Nilox | Delsa Telecommunication | Delsa |
| 410TC1 | Beetel | D-Link_DSL-2730R | D-Link |
| 450TC1 | Beetel | DM 856W | Binatone |
| 450TC2 | Beetel | DSL-2110W | D-Link |
| 480TC1 | Beetel | DSL-2120 | D-Link |
| AAM6000EV/Z2 | Zyxel | DSL-2140 | D-Link |
| AAM6010EV | Zyxel | DSL-2140W | D-Link |
| AAM6010EV/Z2 | Zyxel | DSL-2520U | D-Link |
| AAM6010EV-Z2 | Zyxel | DSL-2520U_Z2 | D-Link |
| AAM6020BI | Zyxel | DSL-2600U | D-Link |
| AAM6020BI-Z2 | Zyxel | DSL-2640R | D-Link |
| AAM6020VI/Z2 | Zyxel | DSL-2641R | D-Link |
| AD3000W | starnet | DSL-2680 | D-Link |
| ADSL Modem | Unknown | DSL-2740R | D-Link |
| ADSL Modem/Router | Unknown | DSL-320B | D-Link |
| ADSL Router | BSNL | DSL-321B | D-Link |
| AirLive ARM201 | AirLive | DSL-3680 | D-Link |
| AirLive ARM-204 | AirLive | DT 815 | Binatone |
| AirLive ARM-204 Annex A | AirLive | DT 820 | Binatone |
| AirLive ARM-204 Annex B | AirLive | DT 845W | Binatone |
| AirLive WT-2000ARM | AirLive | DT 850W | Binatone |
| AirLive WT-2000ARM Annex A | AirLive | DWR-TC14 ADSL Modem | Unknown |
| AirLive WT-2000ARM Annex B | AirLive | EchoLife HG520s | Huawei |
| AMG1001-T10A | Zyxel | EchoLife Home Gateway | Huawei |
| APPADSL2+ | Approx | EchoLife Portal de Inicio | Huawei |
| APPADSL2V1 | Approx | GO-DSL-N151 | D-Link |
| AR-7182WnA | Edimax | HB-150N | Hexabyte |
| AR-7182WnB | Edimax | HB-ADSL-150N | Hexabyte |
| AR-7186WnA/B | Edimax | Hexabyte ADSL | Hexabyte |
| AR-7286WNA | Edimax | Home Gateway | Huawei |
| AR-7286WnB | Edimax | iB-LR6111A | iBall |
| Arcor-DSL WLAN-Modem 100 | Arcor | iB-WR6111A | iBall |
| Arcor-DSL WLAN-Modem 200 | Arcor | iB-WR7011A | iBall |
| AZ-D140W | Azmoon | iB-WRA150N | iBall |
| Billion Sky | Billion | iB-WRA300N | iBall |
| BiPAC 5102C | Billion | iB-WRA300N3G | iBall |
| BiPAC 5102S | Billion | IES1248-51 | Zyxel |
| BiPAC 5200S | Billion | KN.3N | Kraun |
| BIPAC-5100 ADSL Router | Billion | KN.4N | Kraun |
| BLR-TX4L | Buffalo | KR.KQ | Kraun |
| KR.KS | Kraun | POSTEF-8840 | Postef |
| KR.XL | Kraun | POSTEF-8880 | Postef |
| KR.XM | Kraun | Prestige 623ME-T1 | Zyxel |
| KR.XM\t | Kraun | Prestige 623ME-T3 | Zyxel |
| KR.YL | Kraun | Prestige 623R-A1 | Zyxel |
| Linksys BEFDSR41W | Linksys | Prestige 623R-T1 | Zyxel |
| LW-WAR2 | LightWave | Prestige 623R-T3 | Zyxel |
| M-101A | ZTE | Prestige 645 | Zyxel |
| M-101B | ZTE | Prestige 645R-A1 | Zyxel |
| M-200 A | ZTE | Prestige 650 | Zyxel |
| M-200 B | ZTE | Prestige 650H/HW-31 | Zyxel |
| MN-WR542T | Mercury | Prestige 650H/HW-33 | Zyxel |
| MS8-8817 | SendTel | Prestige 650H-17 | Zyxel |
| MT800u-T ADSL Router | BSNL | Prestige 650H-E1 | Zyxel |
| MT880r-T ADSL Router | BSNL | Prestige 650H-E3 | Zyxel |
| MT882r-T ADSL Router | BSNL | Prestige 650H-E7 | Zyxel |
| MT886 | SmartAX | Prestige 650HW-11 | Zyxel |
| mtnlbroadband | MTNL | Prestige 650HW-13 | Zyxel |
| NetBox NX2-R150 | Nilox | Prestige 650HW-31 | Zyxel |
| Netcomm NB14 | Netcomm | Prestige 650HW-33 | Zyxel |
| Netcomm NB14Wn | Netcomm | Prestige 650HW-37 | Zyxel |
| NP-BBRsx | Iodata | Prestige 650R-11 | Zyxel |
| OMNI ADSL LAN EE(Annex A) | Zyxel | Prestige 650R-13 | Zyxel |
| P202H DSS1 | Zyxel | Prestige 650R-31 | Zyxel |
| P653HWI-11 | Zyxel | Prestige 650R-33 | Zyxel |
| P653HWI-13 | Zyxel | Prestige 650R-E1 | Zyxel |
| P-660H-D1 | Zyxel | Prestige 650R-E3 | Zyxel |
| P-660H-T1 v3s | Zyxel | Prestige 650R-T3 | Zyxel |
| P-660H-T3 v3s | Zyxel | Prestige 652H/HW-31 | Zyxel |
| P-660HW-D1 | Zyxel | Prestige 652H/HW-33 | Zyxel |
| P-660R-D1 | Zyxel | Prestige 652H/HW-37 | Zyxel |
| P-660R-T1 | Zyxel | Prestige 652R-11 | Zyxel |
| P-660R-T1 v3 | Zyxel | Prestige 652R-13 | Zyxel |
| P-660R-T1 v3s | Zyxel | Prestige 660H-61 | Zyxel |
| P-660R-T3 v3 | Zyxel | Prestige 660HW-61 | Zyxel |
| P-660R-T3 v3s | Zyxel | Prestige 660HW-67 | Zyxel |
| P-660RU-T1 | Zyxel | Prestige 660R-61 | Zyxel |
| P-660RU-T1 v3 | Zyxel | Prestige 660R-61C | Zyxel |
| P-660RU-T1 v3s | Zyxel | Prestige 660R-63 | Zyxel |
| P-660RU-T3 v3s | Zyxel | Prestige 660R-63/67 | Zyxel |
| PA-R11T | Solwise | Prestige 791R | Zyxel |
| PA-W40T-54G | PreWare | Prestige 792H | Zyxel |
| Cerberus P 6311-072 | Pentagram | RAWRB1001 | Reconnect |
| PL-DSL1 | PreWare | RE033 | Roteador |
| PN-54WADSL2 | ProNet | RTA7020 Router | Maxnet |
| PN-ADSL101E | ProNet | RWS54 | Connectionnc |
| Portal de Inicio | Huawei | SG-1250 | Everest |
| SG-1500 | Everest | TD-W8901G 3.0 | TP-Link | |
| SmartAX | SmartAX | TD-W8901GB | TP-Link | |
| SmartAX MT880 | SmartAX | TD-W8901N | TP-Link | |
| SmartAX MT882 | SmartAX | TD-W8951NB | TP-Link | |
| SmartAX MT882r-T | SmartAX | TD-W8951ND | TP-Link | |
| SmartAX MT882u | SmartAX | TD-W8961N | TP-Link | |
| Sterlite Router | Sterlite | TD-W8961NB | TP-Link | |
| Sweex MO300 | Sweex | TD-W8961ND | TP-Link | |
| T514 | Twister | T-KD318-W | MTNL | |
| TD811 | TP-Link | TrendChip ADSL Router | BSNL | |
| TD821 | TP-Link | UM-A+ | Asotel | |
| TD841 | TP-Link | Vodafone ADSL Router | BSNL | |
| TD854W | TP-Link | vx811r | CentreCOM | |
| TD-8616 | TP-Link | WA3002-g1 | BSNL | |
| TD-8811 | TP-Link | WA3002G4 | BSNL | |
| TD-8816 | TP-Link | WA3002-g4 | BSNL | |
| TD-8816 1.0 | TP-Link | WBR-3601 | LevelOne | |
| TD-8816 2.0 | TP-Link | WebShare 111 WN | Atlantis | |
| TD-8816B | TP-Link | WebShare 141 WN | Atlantis | |
| TD-8817 | TP-Link | WebShare 141 WN+ | Atlantis | |
| TD-8817 1.0 | TP-Link | Wireless ADSL Modem/Router | Unknown | |
| TD-8817 2.0 | TP-Link | Wireless-N 150Mbps ADSL | ||
| TD-8817B | TP-Link | Router | BSNL | |
| TD-8820 | TP-Link | ZXDSL 831CII | ZTE | |
| TD-8820 1.0 | TP-Link | ZXDSL 831II | ZTE | |
| TD-8840T | TP-Link | ZXHN H108L | ZTE | |
| TD-8840T 2.0 | TP-Link | ZXV10 W300 | ZTE | |
| TD-8840TB | TP-Link | ZXV10 W300B | ZTE | |
| TD-W8101G | TP-Link | ZXV10 W300D | ZTE | |
| TD-W8151N | TP-Link | ZXV10 W300E | ZTE | |
| TD-W8901G | TP-Link | ZXV10 W300S | ZTE | |
The above is not a comprehensive list of affected devices. Until a patch is available, turn on both the router firewall while having a software firewall as well. Though the article explains what is misfortune cookie and lists some of the vulnerable devices, I could not come up with a proper method to keep yourself safe, except waiting for the patch by your vendor.
If you have any ideas of how to secure the routers, please share with us.
Reference: CheckPoint.
As best I can determine, this malware doesn’t do so much MITM as it does “convincing” a router that it’s the one and only gateway administrator, so it can pretend to be the gateway solely for purposes of getting into connected devices and then finally exploiting them in absence/knockout of a firewall…or so CheckPoint represents through its terms.
If that actually is the case, certainly a good firewall (also having self-protection against knockout) is a good idea to keep devices secure even if breached at router; CheckPoint recommends the paid version of Zone Alarm, but a well-tweaked install of the firewall component of free Comodo CIS8 could work just as well (perhaps even free Privatefirewall, not certain that one).
Sounds like Misfortune Cookie may be behind what ‘Business Insider’, inter alia, have been reporting lately: XBOX and Playstation users finding XMas inability to log on due to DdOS against MS, credentials taken from Amazon dot com, same time; 13,000 Cyberghost paid customers getting their credit cards and emails posted on Pastebin; and 3,000 out of TOR’s 8,000 exit nodes getting taken over same time last week with claim users identified….all these things claimed done by “Lizard Squad”. If so, indeed, not only residential customers should better firewall their devices, but as well should corporations (including Cleverbridge and other e-commerce platforms protecting commercial accounts).
Hope this helps, looking forward to see if anyone else can help with this one. Great report, cheers!
Firstly, thanks ArunKumar… for raising the awareness on this fairly serious and wide-spread vulnerability.
I’ve confirmed that you can add ‘D-Link DSL-526B’ to that list, and I am suss on a ‘TP-LINK TL-WDR4300’. The initial sign that the D-Link was pwnd, was the internet speed jumped from ‘fine’ to ‘almost unusable’ every few minutes. After checking SNR/dB and line attenuation everything looked fine from the gateway to the ISP’s exchange… Thinking there must be infrastructure issues further on their side, I consulted their tech’s who confirmed no line problems (after running a test) …but they could see the erratic changes in data speeds from the gateway. After digging into the logs, it wasn’t to hard to see what was going on. Shortly after boot, it reports something along the lines of corrupt NVRAM and then address after address that SPI is attempting to block traffic to.
My suspicion is that millions of people didn’t even realise it, or thought nothing of it… but their routers were collectively used in one powerful DDOS attack a few days before Christmas. They served their purpose for whoevers agenda it was for now… and they’ve gone quiet until the next command gets sent out when they’re needed again.
yeah, right about the same time a “certain country” had its internet services cut.
Thank you very much for your reply and similar hunch; in the case of ddos, it certainly would be hard at first to distinguish remote router control hijinx from mass concurrent traffic from individual routers; it seems plausible to me that one could also mount Sybil attacks against any type of exit node via Misfortune Cookie exploit, again making it harder to maintain node owner’s control due to number of unique routers capable of forging network identities. Thank you again, and you too again Mr. Kumar; let’s hope affected router companies patch this exploit, and that more companies opt for real web app firewalls rather than assume Websense-like blocking of proxy/vpn (e.g., TOR) visitors is ultimate protection against would-be site and personal data hackers. Cheers and Happy New Year to all!
Thank you for appreciating the article. I do not see any patches in near future as I think manufacturers are taking the issue lightly. But as you said, all these compromised routers can be used to initiate large attacks on different websites and services.