A Router is often the last contact device in a network, that connects the entire network to external networks and the Internet. If the router is somehow compromised, it is easy to compromise all the devices – computers, printers, scanners and even smartphones – connected to it. The Misfortune Cookie has made around 12 million routers vulnerable, in 189 countries, since 2005 and patching it is difficult process, as there are many manufactures involved. This article explains what is the misfortune cookie syndrome and then compiles a list of affected router brands.
What is Misfortune Cookie vulnerability
According to CheckPoint,
“Misfortune cookie vulnerability is a critical vulnerability that allows a cyber criminal to take over a gateway remotely and use it to compromise all devices interconnected to that gateway.”
Further, the Checkpoint researchers say that the vulnerability is present on millions of devices all over the world – from different manufacturers and from different brands. The Misfortune Cookie allows any intruder to take over any network easily by using the vulnerability. It also says that exploits are already available in the deep Internet and people are actively using them for their own gains.
To date over 12 million devices have been detected as carrying this vulnerability!
Why name it Misfortune Cookie
In simple words, since it the vulnerability is based on a HTTP cookie and brings misfortune to the device owner, it is named Misfortune cookie in lines of fortune cookies.
To be more technical, Misfortune cookie is because of a fault in HTTP cookie management mechanism in the router/gateway software. This allows criminals to determine the vulnerability of connection request by sending different cookies to the gateway or the router. In most networks, the router is the gateway and hence the Checkpoint employs the word “gateway”.
“Attackers can send specially crafted HTTP cookies that exploit the vulnerability to corrupt memory and alter the application state. This, in effect, can trick the attacked device to treat the current session with administrative privileges – to the misfortune of the device owner.”
Is your Router affected by Misfortune Cookie?
The Misfortune cookie has affected many routers or other type of gateways that contain a certain type of software. This software, Rompager from AllegroSoft, is used by different manufacturers in building routers and hence the vulnerable devices are spread all over the world. The Rompager is embedded into the firmware of routers. The vulnerability has been present since 2005 and despite patches by Allegrosoft, many devices are still vulnerable as people (users) do not know of this vulnerability.
You have been compromised if you cannot get to the configuration page of the router. There are no other methods to identify if you have been affected. To know if you are vulnerable, check out the list of Misfortune Cookie Vulnerable Devices, towards the end of this post.
Protection & prevention against Misfortune Cookie
There is not much you can do on your own. You have to ask your vendor for a patch and then flash your firmware with the patched firmware. However, this is not much practical as many vendors have not created patches as yet, though the vulnerability is present from 2005 or prior.
Checkpoint asks you to use an exceptionally good firewall that may reduce your chances of being compromised. However, I do not understand how a firewall would prevent an intruder if he or she has already compromised your network gateway (router).
In short, you have to wait a little longer to get a patch from your vendor. Though Allegrosoft has issued both security advisory and patch, the vendors have been shipping vulnerable devices. This is a serious problem as you have to wait till the vendors issue the patch to its customers.
List of Misfortune Cookie Vulnerable Devices
| 110TC2 | Beetel | BW554 | SBS |
| 16NX073012001 | Nilox | C300APRA2+ | Conceptronic |
| 16NX080112001 | Nilox | Compact Router ADSL2+ | Compact |
| 16NX080112002 | Nilox | D-5546 | den-it |
| 16NX081412001 | Nilox | D-7704G | den-it |
| 16NX081812001 | Nilox | Delsa Telecommunication | Delsa |
| 410TC1 | Beetel | D-Link_DSL-2730R | D-Link |
| 450TC1 | Beetel | DM 856W | Binatone |
| 450TC2 | Beetel | DSL-2110W | D-Link |
| 480TC1 | Beetel | DSL-2120 | D-Link |
| AAM6000EV/Z2 | Zyxel | DSL-2140 | D-Link |
| AAM6010EV | Zyxel | DSL-2140W | D-Link |
| AAM6010EV/Z2 | Zyxel | DSL-2520U | D-Link |
| AAM6010EV-Z2 | Zyxel | DSL-2520U_Z2 | D-Link |
| AAM6020BI | Zyxel | DSL-2600U | D-Link |
| AAM6020BI-Z2 | Zyxel | DSL-2640R | D-Link |
| AAM6020VI/Z2 | Zyxel | DSL-2641R | D-Link |
| AD3000W | starnet | DSL-2680 | D-Link |
| ADSL Modem | Unknown | DSL-2740R | D-Link |
| ADSL Modem/Router | Unknown | DSL-320B | D-Link |
| ADSL Router | BSNL | DSL-321B | D-Link |
| AirLive ARM201 | AirLive | DSL-3680 | D-Link |
| AirLive ARM-204 | AirLive | DT 815 | Binatone |
| AirLive ARM-204 Annex A | AirLive | DT 820 | Binatone |
| AirLive ARM-204 Annex B | AirLive | DT 845W | Binatone |
| AirLive WT-2000ARM | AirLive | DT 850W | Binatone |
| AirLive WT-2000ARM Annex A | AirLive | DWR-TC14 ADSL Modem | Unknown |
| AirLive WT-2000ARM Annex B | AirLive | EchoLife HG520s | Huawei |
| AMG1001-T10A | Zyxel | EchoLife Home Gateway | Huawei |
| APPADSL2+ | Approx | EchoLife Portal de Inicio | Huawei |
| APPADSL2V1 | Approx | GO-DSL-N151 | D-Link |
| AR-7182WnA | Edimax | HB-150N | Hexabyte |
| AR-7182WnB | Edimax | HB-ADSL-150N | Hexabyte |
| AR-7186WnA/B | Edimax | Hexabyte ADSL | Hexabyte |
| AR-7286WNA | Edimax | Home Gateway | Huawei |
| AR-7286WnB | Edimax | iB-LR6111A | iBall |
| Arcor-DSL WLAN-Modem 100 | Arcor | iB-WR6111A | iBall |
| Arcor-DSL WLAN-Modem 200 | Arcor | iB-WR7011A | iBall |
| AZ-D140W | Azmoon | iB-WRA150N | iBall |
| Billion Sky | Billion | iB-WRA300N | iBall |
| BiPAC 5102C | Billion | iB-WRA300N3G | iBall |
| BiPAC 5102S | Billion | IES1248-51 | Zyxel |
| BiPAC 5200S | Billion | KN.3N | Kraun |
| BIPAC-5100 ADSL Router | Billion | KN.4N | Kraun |
| BLR-TX4L | Buffalo | KR.KQ | Kraun |
| KR.KS | Kraun | POSTEF-8840 | Postef |
| KR.XL | Kraun | POSTEF-8880 | Postef |
| KR.XM | Kraun | Prestige 623ME-T1 | Zyxel |
| KR.XM\t | Kraun | Prestige 623ME-T3 | Zyxel |
| KR.YL | Kraun | Prestige 623R-A1 | Zyxel |
| Linksys BEFDSR41W | Linksys | Prestige 623R-T1 | Zyxel |
| LW-WAR2 | LightWave | Prestige 623R-T3 | Zyxel |
| M-101A | ZTE | Prestige 645 | Zyxel |
| M-101B | ZTE | Prestige 645R-A1 | Zyxel |
| M-200 A | ZTE | Prestige 650 | Zyxel |
| M-200 B | ZTE | Prestige 650H/HW-31 | Zyxel |
| MN-WR542T | Mercury | Prestige 650H/HW-33 | Zyxel |
| MS8-8817 | SendTel | Prestige 650H-17 | Zyxel |
| MT800u-T ADSL Router | BSNL | Prestige 650H-E1 | Zyxel |
| MT880r-T ADSL Router | BSNL | Prestige 650H-E3 | Zyxel |
| MT882r-T ADSL Router | BSNL | Prestige 650H-E7 | Zyxel |
| MT886 | SmartAX | Prestige 650HW-11 | Zyxel |
| mtnlbroadband | MTNL | Prestige 650HW-13 | Zyxel |
| NetBox NX2-R150 | Nilox | Prestige 650HW-31 | Zyxel |
| Netcomm NB14 | Netcomm | Prestige 650HW-33 | Zyxel |
| Netcomm NB14Wn | Netcomm | Prestige 650HW-37 | Zyxel |
| NP-BBRsx | Iodata | Prestige 650R-11 | Zyxel |
| OMNI ADSL LAN EE(Annex A) | Zyxel | Prestige 650R-13 | Zyxel |
| P202H DSS1 | Zyxel | Prestige 650R-31 | Zyxel |
| P653HWI-11 | Zyxel | Prestige 650R-33 | Zyxel |
| P653HWI-13 | Zyxel | Prestige 650R-E1 | Zyxel |
| P-660H-D1 | Zyxel | Prestige 650R-E3 | Zyxel |
| P-660H-T1 v3s | Zyxel | Prestige 650R-T3 | Zyxel |
| P-660H-T3 v3s | Zyxel | Prestige 652H/HW-31 | Zyxel |
| P-660HW-D1 | Zyxel | Prestige 652H/HW-33 | Zyxel |
| P-660R-D1 | Zyxel | Prestige 652H/HW-37 | Zyxel |
| P-660R-T1 | Zyxel | Prestige 652R-11 | Zyxel |
| P-660R-T1 v3 | Zyxel | Prestige 652R-13 | Zyxel |
| P-660R-T1 v3s | Zyxel | Prestige 660H-61 | Zyxel |
| P-660R-T3 v3 | Zyxel | Prestige 660HW-61 | Zyxel |
| P-660R-T3 v3s | Zyxel | Prestige 660HW-67 | Zyxel |
| P-660RU-T1 | Zyxel | Prestige 660R-61 | Zyxel |
| P-660RU-T1 v3 | Zyxel | Prestige 660R-61C | Zyxel |
| P-660RU-T1 v3s | Zyxel | Prestige 660R-63 | Zyxel |
| P-660RU-T3 v3s | Zyxel | Prestige 660R-63/67 | Zyxel |
| PA-R11T | Solwise | Prestige 791R | Zyxel |
| PA-W40T-54G | PreWare | Prestige 792H | Zyxel |
| Cerberus P 6311-072 | Pentagram | RAWRB1001 | Reconnect |
| PL-DSL1 | PreWare | RE033 | Roteador |
| PN-54WADSL2 | ProNet | RTA7020 Router | Maxnet |
| PN-ADSL101E | ProNet | RWS54 | Connectionnc |
| Portal de Inicio | Huawei | SG-1250 | Everest |
| SG-1500 | Everest | TD-W8901G 3.0 | TP-Link | |
| SmartAX | SmartAX | TD-W8901GB | TP-Link | |
| SmartAX MT880 | SmartAX | TD-W8901N | TP-Link | |
| SmartAX MT882 | SmartAX | TD-W8951NB | TP-Link | |
| SmartAX MT882r-T | SmartAX | TD-W8951ND | TP-Link | |
| SmartAX MT882u | SmartAX | TD-W8961N | TP-Link | |
| Sterlite Router | Sterlite | TD-W8961NB | TP-Link | |
| Sweex MO300 | Sweex | TD-W8961ND | TP-Link | |
| T514 | Twister | T-KD318-W | MTNL | |
| TD811 | TP-Link | TrendChip ADSL Router | BSNL | |
| TD821 | TP-Link | UM-A+ | Asotel | |
| TD841 | TP-Link | Vodafone ADSL Router | BSNL | |
| TD854W | TP-Link | vx811r | CentreCOM | |
| TD-8616 | TP-Link | WA3002-g1 | BSNL | |
| TD-8811 | TP-Link | WA3002G4 | BSNL | |
| TD-8816 | TP-Link | WA3002-g4 | BSNL | |
| TD-8816 1.0 | TP-Link | WBR-3601 | LevelOne | |
| TD-8816 2.0 | TP-Link | WebShare 111 WN | Atlantis | |
| TD-8816B | TP-Link | WebShare 141 WN | Atlantis | |
| TD-8817 | TP-Link | WebShare 141 WN+ | Atlantis | |
| TD-8817 1.0 | TP-Link | Wireless ADSL Modem/Router | Unknown | |
| TD-8817 2.0 | TP-Link | Wireless-N 150Mbps ADSL | ||
| TD-8817B | TP-Link | Router | BSNL | |
| TD-8820 | TP-Link | ZXDSL 831CII | ZTE | |
| TD-8820 1.0 | TP-Link | ZXDSL 831II | ZTE | |
| TD-8840T | TP-Link | ZXHN H108L | ZTE | |
| TD-8840T 2.0 | TP-Link | ZXV10 W300 | ZTE | |
| TD-8840TB | TP-Link | ZXV10 W300B | ZTE | |
| TD-W8101G | TP-Link | ZXV10 W300D | ZTE | |
| TD-W8151N | TP-Link | ZXV10 W300E | ZTE | |
| TD-W8901G | TP-Link | ZXV10 W300S | ZTE | |
The above is not a comprehensive list of affected devices. Until a patch is available, turn on both the router firewall while having a software firewall as well. Though the article explains what is misfortune cookie and lists some of the vulnerable devices, I could not come up with a proper method to keep yourself safe, except waiting for the patch by your vendor.
If you have any ideas of how to secure the routers, please share with us.
Reference: CheckPoint.
