Check Point has disclosed few details on a cookie vulnerability in the RomPager webserver running inside 12 million embedded devices. The flaw puts home routers at risk to attack.

More than 12 million devices running an embedded webserver called RomPager are vulnerable to a simple attack that could give a hacker man-in-the-middle position on traffic going to and from home routers from just about every leading manufacturer.

Mostly ISP-owned residential gateways manufactured by D-Link, Huawei, TP-Link, ZTE, Zyxel and several others are currently exposed. Researchers at Check Point Software Technologies reported the flaw they’ve called Misfortune Cookie, to all of the affected vendors and manufacturers, and most have responded that they will push new firmware and patches in short order.

The problem with embedded device security is that, with consumer-owned gear especially, it’s up to the device owner to find and flash new firmware, leaving most of the devices in question vulnerable indefinitely.

In the case of the RomPager vulnerability, an attacker need only send a single packet containing a malicious HTTP cookie to exploit the flaw. Such an exploit would corrupt memory on the device and allow an attacker to remotely gain administrative access to the device.

“We hope this is a game-changing wake-up call,” said Shahar Tal, malware and vulnerability research manager with Check Point. “Certainly in terms of numbers, I don’t remember a vulnerability released that had 12 million endpoints online since maybe Conficker in 2008. This is really, really bad and the incredibly slow update propagation chain makes it worse.”

Tal said the vulnerable code was written in 2002 and given to chipset makers bundled in a software development kit (SDK). This SDK was given to manufacturers who used it when building their respective firmware; ISPs, Tal said, also used the same SDK to prepare custom firmware used in consumer residential devices.

“The vulnerable code is from 2002 and was actually fixed in 2005 [by AllegroSoft, makers of RomPager] and yet still did not make it into consumer devices,” Tal said. “It’s present in device firmware manufactured in 2014 that we downloaded last month. This is an industry problem; something is wrong.”

Tal said Check Point conducted Internet scans that show the 12 million devices exposed online in 189 countries. In some of those countries, Tal said, vulnerability rates hover around 10 percent, and in one country half of its Internet users are at risk.

“Even when people become aware of this, I don’t expect updated firmware to be deployed in 189 countries,” Tal said. “This will be with us for months and years to come.”

That means that vulnerable home routers are at risk to remote attacks that put not only Internet traffic at risk, but also other devices on a local network such as printers.

“The implications of these risks mean more than just a privacy violation – they also set the stage for further attacks, such as installing malware on devices and making permanent configuration changes,” Check Point wrote in an analysis published today. “This WAN-to-LAN free-crossing is also bypassing any firewall or isolation functionality previously provided by your gateway and breaks common threat models. For example, an attacker can try to access your home webcam (potentially using default credentials) or extract data from your business NAS backup drive.”

An attacker need only send a single packet containing a malicious HTTP cookie to exploit Misfortune Cookie. Tweet

Tal said Check Point is not aware of any exploits of this issue, but assumes that researchers and black hats will soon begin pinging Shodan and doing Google searches looking for vulnerable devices.

“This is very easy to exploit once you figure out the program internals,” Tal said. “We are assuming that some researchers will do that in upcoming days and we hope vendors react as fast as possible to get consumers protected.”

Some vendors, which Tal would not name, have already shared beta versions of upgraded firmware with Check Point, and Check Point has confirmed the issue as patched in those cases.

“Everyone is aware that embedded devices are insecure, but we haven’t had one game-changing event that crosses boundaries and makes the industry understand this,” Tal said. “This one is definitely worth the attention and needs fixing.”