Misfortune Cookie Vulnerability: Is your Router affected?

A Router is often the last contact device in a network, that connects the entire network to external networks and the Internet. If the router is somehow compromised, it is easy to compromise all the devices – computers, printers, scanners and even smartphones – connected to it. The Misfortune Cookie  has made around 12 million routers vulnerable, in 189 countries, since 2005 and patching it is difficult process, as there are many manufactures involved. This article explains what is the misfortune cookie syndrome and then compiles a list of affected router brands.

Misfortune Cookie Vulnerability

What is Misfortune Cookie vulnerability

According to CheckPoint,

“Misfortune cookie vulnerability is a critical vulnerability that allows a cyber criminal to take over a gateway remotely and use it to compromise all devices interconnected to that gateway.”

Further, the Checkpoint researchers say that the vulnerability is present on millions of devices all over the world – from different manufacturers and from different brands. The Misfortune Cookie allows any intruder to take over any network easily by using the vulnerability. It also says that exploits are already available in the deep Internet and people are actively using them for their own gains.

To date over 12 million devices have been detected as carrying this vulnerability!

Fig 0 - What is a router firewall

Why name it Misfortune Cookie

In simple words, since it the vulnerability is based on a HTTP cookie and brings misfortune to the device owner, it is named Misfortune cookie in lines of fortune cookies.

To be more technical, Misfortune cookie is because of a fault in HTTP cookie management mechanism in the router/gateway software. This allows criminals to determine the vulnerability of connection request by sending different cookies to the gateway or the router. In most networks, the router is the gateway and hence the Checkpoint employs the word “gateway”.

“Attackers can send specially crafted HTTP cookies that exploit the vulnerability to corrupt memory and alter the application state. This, in effect, can trick the attacked device to treat the current session with administrative privileges – to the misfortune of the device owner.”

Is your Router affected by Misfortune Cookie?

The Misfortune cookie has affected many routers or other type of gateways that contain a certain type of software. This software, Rompager from AllegroSoft, is used by different manufacturers in building routers and hence the vulnerable devices are spread all over the world. The Rompager is embedded into the firmware of routers. The vulnerability has been present since 2005 and despite patches by Allegrosoft, many devices are still vulnerable as people (users) do not know of this vulnerability.

You have been compromised if you cannot get to the configuration page of the router. There are no other methods to identify if you have been affected. To know if you are vulnerable, check out the list of Misfortune Cookie Vulnerable Devices, towards the end of this post.

Protection & prevention against Misfortune Cookie

There is not much you can do on your own. You have to ask your vendor for a patch and then flash your firmware with the patched firmware. However, this is not much practical as many vendors have not created patches as yet, though the vulnerability is present from 2005 or prior.

Checkpoint asks you to use an exceptionally good firewall that may reduce your chances of being compromised. However, I do not understand how a firewall would prevent an intruder if he or she has already compromised your network gateway (router).

In short, you have to wait a little longer to get a patch from your vendor. Though Allegrosoft has issued both security advisory and patch, the vendors have been shipping vulnerable devices. This is a serious problem as you have to wait till the vendors issue the patch to its customers.

List of Misfortune Cookie Vulnerable Devices

110TC2 Beetel BW554 SBS
16NX073012001 Nilox C300APRA2+ Conceptronic
16NX080112001 Nilox Compact Router ADSL2+ Compact
16NX080112002 Nilox D-5546 den-it
16NX081412001 Nilox D-7704G den-it
16NX081812001 Nilox Delsa Telecommunication Delsa
410TC1 Beetel D-Link_DSL-2730R D-Link
450TC1 Beetel DM 856W Binatone
450TC2 Beetel DSL-2110W D-Link
480TC1 Beetel DSL-2120 D-Link
AAM6000EV/Z2 Zyxel DSL-2140 D-Link
AAM6010EV Zyxel DSL-2140W D-Link
AAM6010EV/Z2 Zyxel DSL-2520U D-Link
AAM6010EV-Z2 Zyxel DSL-2520U_Z2 D-Link
AAM6020BI Zyxel DSL-2600U D-Link
AAM6020BI-Z2 Zyxel DSL-2640R D-Link
AAM6020VI/Z2 Zyxel DSL-2641R D-Link
AD3000W starnet DSL-2680 D-Link
ADSL Modem Unknown DSL-2740R D-Link
ADSL Modem/Router Unknown DSL-320B D-Link
ADSL Router BSNL DSL-321B D-Link
AirLive ARM201 AirLive DSL-3680 D-Link
AirLive ARM-204 AirLive DT 815 Binatone
AirLive ARM-204 Annex A AirLive DT 820 Binatone
AirLive ARM-204 Annex B AirLive DT 845W Binatone
AirLive WT-2000ARM AirLive DT 850W Binatone
AirLive WT-2000ARM Annex A AirLive DWR-TC14 ADSL Modem Unknown
AirLive WT-2000ARM Annex B AirLive EchoLife HG520s Huawei
AMG1001-T10A Zyxel EchoLife Home Gateway Huawei
APPADSL2+ Approx EchoLife Portal de Inicio Huawei
APPADSL2V1 Approx GO-DSL-N151 D-Link
AR-7182WnA Edimax HB-150N Hexabyte
AR-7182WnB Edimax HB-ADSL-150N Hexabyte
AR-7186WnA/B Edimax Hexabyte ADSL Hexabyte
AR-7286WNA Edimax Home Gateway Huawei
AR-7286WnB Edimax iB-LR6111A iBall
Arcor-DSL WLAN-Modem 100 Arcor iB-WR6111A iBall
Arcor-DSL WLAN-Modem 200 Arcor iB-WR7011A iBall
AZ-D140W Azmoon iB-WRA150N iBall
Billion Sky Billion iB-WRA300N iBall
BiPAC 5102C Billion iB-WRA300N3G iBall
BiPAC 5102S Billion IES1248-51 Zyxel
BiPAC 5200S Billion KN.3N Kraun
BIPAC-5100 ADSL Router Billion KN.4N Kraun
BLR-TX4L Buffalo KR.KQ Kraun


KR.KS Kraun POSTEF-8840 Postef
KR.XL Kraun POSTEF-8880 Postef
KR.XM Kraun Prestige 623ME-T1 Zyxel
KR.XM\t Kraun Prestige 623ME-T3 Zyxel
KR.YL Kraun Prestige 623R-A1 Zyxel
Linksys   BEFDSR41W Linksys Prestige 623R-T1 Zyxel
LW-WAR2 LightWave Prestige 623R-T3 Zyxel
M-101A ZTE Prestige 645 Zyxel
M-101B ZTE Prestige 645R-A1 Zyxel
M-200 A ZTE Prestige 650 Zyxel
M-200 B ZTE Prestige 650H/HW-31 Zyxel
MN-WR542T Mercury Prestige 650H/HW-33 Zyxel
MS8-8817 SendTel Prestige 650H-17 Zyxel
MT800u-T ADSL Router BSNL Prestige 650H-E1 Zyxel
MT880r-T ADSL Router BSNL Prestige 650H-E3 Zyxel
MT882r-T ADSL Router BSNL Prestige 650H-E7 Zyxel
MT886 SmartAX Prestige 650HW-11 Zyxel
mtnlbroadband MTNL Prestige 650HW-13 Zyxel
NetBox NX2-R150 Nilox Prestige 650HW-31 Zyxel
Netcomm NB14 Netcomm Prestige 650HW-33 Zyxel
Netcomm NB14Wn Netcomm Prestige 650HW-37 Zyxel
NP-BBRsx Iodata Prestige 650R-11 Zyxel
OMNI ADSL LAN EE(Annex A) Zyxel Prestige 650R-13 Zyxel
P202H DSS1 Zyxel Prestige 650R-31 Zyxel
P653HWI-11 Zyxel Prestige 650R-33 Zyxel
P653HWI-13 Zyxel Prestige 650R-E1 Zyxel
P-660H-D1 Zyxel Prestige 650R-E3 Zyxel
P-660H-T1 v3s Zyxel Prestige 650R-T3 Zyxel
P-660H-T3 v3s Zyxel Prestige 652H/HW-31 Zyxel
P-660HW-D1 Zyxel Prestige 652H/HW-33 Zyxel
P-660R-D1 Zyxel Prestige 652H/HW-37 Zyxel
P-660R-T1 Zyxel Prestige 652R-11 Zyxel
P-660R-T1 v3 Zyxel Prestige 652R-13 Zyxel
P-660R-T1 v3s Zyxel Prestige 660H-61 Zyxel
P-660R-T3 v3 Zyxel Prestige 660HW-61 Zyxel
P-660R-T3 v3s Zyxel Prestige 660HW-67 Zyxel
P-660RU-T1 Zyxel Prestige 660R-61 Zyxel
P-660RU-T1 v3 Zyxel Prestige 660R-61C Zyxel
P-660RU-T1 v3s Zyxel Prestige 660R-63 Zyxel
P-660RU-T3 v3s Zyxel Prestige 660R-63/67 Zyxel
PA-R11T Solwise Prestige 791R Zyxel
PA-W40T-54G PreWare Prestige 792H Zyxel
Cerberus P 6311-072 Pentagram RAWRB1001 Reconnect
PL-DSL1 PreWare RE033 Roteador
PN-54WADSL2 ProNet RTA7020 Router Maxnet
PN-ADSL101E ProNet RWS54 Connectionnc
Portal de Inicio Huawei SG-1250 Everest
SG-1500 Everest TD-W8901G 3.0 TP-Link
SmartAX SmartAX TD-W8901GB TP-Link
SmartAX MT880 SmartAX TD-W8901N TP-Link
SmartAX MT882 SmartAX TD-W8951NB TP-Link
SmartAX MT882r-T SmartAX TD-W8951ND TP-Link
SmartAX MT882u SmartAX TD-W8961N TP-Link
Sterlite Router Sterlite TD-W8961NB TP-Link
Sweex MO300 Sweex TD-W8961ND TP-Link
T514 Twister T-KD318-W MTNL
TD811 TP-Link TrendChip ADSL Router BSNL
TD821 TP-Link UM-A+ Asotel
TD841 TP-Link Vodafone ADSL Router BSNL
TD854W TP-Link vx811r CentreCOM
TD-8616 TP-Link WA3002-g1 BSNL
TD-8811 TP-Link WA3002G4 BSNL
TD-8816 TP-Link WA3002-g4 BSNL
TD-8816 1.0 TP-Link WBR-3601 LevelOne
TD-8816 2.0 TP-Link WebShare 111 WN Atlantis
TD-8816B TP-Link WebShare 141 WN Atlantis
TD-8817 TP-Link WebShare 141 WN+ Atlantis
TD-8817 1.0 TP-Link Wireless ADSL Modem/Router Unknown
TD-8817 2.0 TP-Link Wireless-N 150Mbps ADSL
TD-8817B TP-Link Router BSNL
TD-8820 TP-Link ZXDSL 831CII ZTE
TD-8820 1.0 TP-Link ZXDSL 831II ZTE
TD-8840T TP-Link ZXHN H108L ZTE
TD-8840T 2.0 TP-Link ZXV10 W300 ZTE
TD-8840TB TP-Link ZXV10 W300B ZTE
TD-W8101G TP-Link ZXV10 W300D ZTE
TD-W8151N TP-Link ZXV10 W300E ZTE
TD-W8901G TP-Link ZXV10 W300S ZTE

The above is not a comprehensive list of affected devices. Until a patch is available, turn on both the router firewall while having a software firewall as well. Though the article explains what is misfortune cookie and lists some of the vulnerable devices, I could not come up with a proper method to keep yourself safe, except waiting for the patch by your vendor.

If you have any ideas of how to secure the routers, please share with us.

Reference: CheckPoint.

Posted by on , in Category Security with Tags
Arun Kumar is a Microsoft MVP alumnus, obsessed with technology, especially the Internet. He deals with the multimedia content needs of training and corporate houses. Follow him on Twitter @PowercutIN


  1. Dan

    As best I can determine, this malware doesn’t do so much MITM as it does “convincing” a router that it’s the one and only gateway administrator, so it can pretend to be the gateway solely for purposes of getting into connected devices and then finally exploiting them in absence/knockout of a firewall…or so CheckPoint represents through its terms.

    If that actually is the case, certainly a good firewall (also having self-protection against knockout) is a good idea to keep devices secure even if breached at router; CheckPoint recommends the paid version of Zone Alarm, but a well-tweaked install of the firewall component of free Comodo CIS8 could work just as well (perhaps even free Privatefirewall, not certain that one).

    Sounds like Misfortune Cookie may be behind what ‘Business Insider’, inter alia, have been reporting lately: XBOX and Playstation users finding XMas inability to log on due to DdOS against MS, credentials taken from Amazon dot com, same time; 13,000 Cyberghost paid customers getting their credit cards and emails posted on Pastebin; and 3,000 out of TOR’s 8,000 exit nodes getting taken over same time last week with claim users identified….all these things claimed done by “Lizard Squad”. If so, indeed, not only residential customers should better firewall their devices, but as well should corporations (including Cleverbridge and other e-commerce platforms protecting commercial accounts).

    Hope this helps, looking forward to see if anyone else can help with this one. Great report, cheers!

  2. Lojix Net

    Firstly, thanks ArunKumar… for raising the awareness on this fairly serious and wide-spread vulnerability.

    I’ve confirmed that you can add ‘D-Link DSL-526B’ to that list, and I am suss on a ‘TP-LINK TL-WDR4300’. The initial sign that the D-Link was pwnd, was the internet speed jumped from ‘fine’ to ‘almost unusable’ every few minutes. After checking SNR/dB and line attenuation everything looked fine from the gateway to the ISP’s exchange… Thinking there must be infrastructure issues further on their side, I consulted their tech’s who confirmed no line problems (after running a test) …but they could see the erratic changes in data speeds from the gateway. After digging into the logs, it wasn’t to hard to see what was going on. Shortly after boot, it reports something along the lines of corrupt NVRAM and then address after address that SPI is attempting to block traffic to.

    My suspicion is that millions of people didn’t even realise it, or thought nothing of it… but their routers were collectively used in one powerful DDOS attack a few days before Christmas. They served their purpose for whoevers agenda it was for now… and they’ve gone quiet until the next command gets sent out when they’re needed again.

  3. Anon

    yeah, right about the same time a “certain country” had its internet services cut.

  4. Dan

    Thank you very much for your reply and similar hunch; in the case of ddos, it certainly would be hard at first to distinguish remote router control hijinx from mass concurrent traffic from individual routers; it seems plausible to me that one could also mount Sybil attacks against any type of exit node via Misfortune Cookie exploit, again making it harder to maintain node owner’s control due to number of unique routers capable of forging network identities. Thank you again, and you too again Mr. Kumar; let’s hope affected router companies patch this exploit, and that more companies opt for real web app firewalls rather than assume Websense-like blocking of proxy/vpn (e.g., TOR) visitors is ultimate protection against would-be site and personal data hackers. Cheers and Happy New Year to all!

  5. Arun Kumar

    Thank you for appreciating the article. I do not see any patches in near future as I think manufacturers are taking the issue lightly. But as you said, all these compromised routers can be used to initiate large attacks on different websites and services.

Leave a Reply

Your email address will not be published. Required fields are marked *

3 + 1 =