search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Multiple broadband routers use vulnerable versions of Allegro RomPager

Vulnerability Note VU#561444

Original Release Date: 2014-12-19 | Last Revised: 2017-05-09

Overview

Multiple broadband routers use vulnerable versions of Allegro RomPager in current firmware releases.

Description

Many home and office/home office (SOHO) routers have been found to be using vulnerable versions of the Allegro RomPager embedded web server. Allegro RomPager versions prior to 4.34 contain a vulnerability in cookie processing code that can be leveraged to grant attackers administrative privileges on the device. According to Check Point's advisory, the vulnerability was addressed by Allegro in 2005 but is present in current or recent firmware releases of many devices.

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code on the device.

Solution

Apply an update

Check vendor websites for a firmware update that addresses this issue and apply it if available.

Use third-party firmware

Technical users may consider flashing to third-party firmware such as that provided by dd-wrt, openwrt, or others. Note that this action may invalidate device warranties.

Disable WAN services

If possible, disable services that listen for HTTP or HTTPS connections on the device's WAN side.

Vendor Information

Check Point Software Technologies has published a list of devices (PDF) suspected of being vulnerable. We will update the Vendor Information section below as more information becomes available.

561444
Expand all

Digi International

Updated:  May 09, 2017

Statement Date:   May 08, 2017

Status

  Affected

Vendor Statement

Digi has posted the following advisory here:

Overview:
Many Digi products contain and use the RomPager by Allegrosoft web server technology. It has come to our attention that this embedded web server, which is used for management of our devices contains what we have defined as a critical vulnerability. We urge any customer who may have one of these products where the administrative webserver is available on non-secure networks to either upgrade the firmware to a patched version or to disable the web server for management of these devices.

Affected Products:
ConnectPort TS, Connect ES, Connect SP, Connect N2S, AnywhereUSB, ConnectPort X4, ConnectPort X2, Connect ME, Connect EM, Connect WAN 3G, Connect WAN 3G IA, Net+OS

History:
The initial vulnerability was identified a few years ago (Sept 2014), and was evaluated by Digi in consultation with AllegroSoft based the then current understanding of the potential vulnerability, it was concluded that only specific RomPager versions (4.07 to 4.37) were vulnerable to these attacks and that Digi’s implementation in particular did not rely on those versions or features that were potentially impacted.
The current version of RomPager that Digi uses is version 4.01. In re-evaluation of this vulnerability, which includes a working exploit, we can conclude that the earlier information that was provided to us was in error. This vulnerability does indeed exist within the product, and both CVE’s are present in RomPager version 4.01. The CVE-2014-9222 vulnerability can be used to remotely reset admin passwords to gain full access to the devices. For the CVE-2014-9223 vulnerability, this currently can only lead to a denial of service, and a reboot of the device.

CVE-2014-9222 and CVE-2014-9223:
These vulnerabilities are known as the misfortune cookie (CVE-2014-9222/9223) vulnerabilities. The vulnerability exists in the cookie processing and authentication digest code, which is included in version 4.01 of our RomPager embedded web server. In our re-evaluation of this, we have deemed this a critical vulnerability for which we have created an immediate patch for affected products that is available online at www.digi.com/support. . We recommend that current customers download and evaluate the latest firmware for your Digi devices that you have deployed. As always, evaluation of risk is up to our end customers based on their deployment environment and change management criteria.

Evaluation of risk:
Below are the reasons why we believe this to be a critical vulnerability:
The vulnerability does NOT need any user credentials.
The vulnerability, with a bit of review, is easy to trigger, and has a high degree of success.
All confidentiality and integrity of the device, and devices that are directly connected to are lost.
External exploits are known to exist in the wild, although these exploits only reboot a device at this time.

Mitigation:
To mitigate the issue, it is advised to disable the web server on the device. Other device management methods are not impacted (i.e. SSH, and/or Digi Remote Manager).
Other mitigating factors:
Many of the devices may are deployed within a limited access private network. If this is the case, then the customer should conduct their own risk assessment, as having the device isolated may help reduce the risk of this vulnerability. However, if this device is connected directly to the Internet, we highly suggest disabling the web server immediately, at least on any public interfaces.

Research References:
http://mis.fortunecook.ie/
https://www.allegrosoft.com/allegro-software-urges-manufacturers-to-maintain-firmware-for-highest-level-of-embedded-device-security/news-press.html

Summary:
With security being a critical part many products in the Internet of Things, we are committed to making sure that our products are safe, and usable within critical infrastructure and other business uses. With vulnerabilities and risks around every corner, we try to take a risk based approach to fixing vulnerabilities where they are needed most, and at the most critical times. Although we try to understand every customer and use of our products, we understand that each customer has to go through their own risk analysis as well with our products. If you believe that the analysis above is missing information, or there is a significant difference in your evaluation of risk, please do not hesitate to contact our Security Office by emailing security@digi.com.

Firmware Downloads For Affected Products:
Firmware for the affected products can be found at the below link, after selecting the desired product from the list:

https://www.digi.com/support/supporttype?type=firmware

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://knowledge.digi.com/articles/Knowledge_Base_Article/RomPager-Evaluation-of-Security-Vulnerability-VU-561444-Expanded-info-on-CVE-2014-9222-CVE-2014-9223/ ftp://ftp1.digi.com/support/firmware/pcn.xbp8681x61.20110222.pdf https://www.digi.com/resources/security

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Allegro Software Development Corporation

Notified:  December 19, 2014 Updated:  December 19, 2014

Status

  Not Affected

Vendor Statement

"An example is the case of the CVE-2014-9222 and CVE-2014-9223 vulnerabilities (also known as Misfortune Cookie). These vulnerabilities were discovered in the RomPager embedded web server version 4.07, which was released in 2002. Allegro had previously identified, fixed, and released updated software components that addressed these vulnerabilities. RomPager version 4.34, which resolved these vulnerabilities, was provided to Allegro Software customers in 2005. Allegro has continued to provide updates and enhancements to the RomPager software, and the latest available version is 5.40."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.allegrosoft.com/allegro-software-urges-manufacturers-to-maintain-firmware-for-highest-level-of-embedded-device-security/news-press.html

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Peplink

Updated:  January 08, 2015

Statement Date:   January 08, 2015

Status

  Not Affected

Vendor Statement

Peplink has verified and confirmed that all of our products do not contain/use the "RomPager" web server component and therefore we are NOT affected by this vulnerability.

There is no customer action required.


Thank you for your attention.


The Peplink Team
Issued on: Dec 23, 2014

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://forum.peplink.com/threads/4095-Unaffected-Security-Notice-on-Misfortune-Cookie-Vulnerability

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

D-Link Systems, Inc.

Updated:  December 19, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Huawei Technologies

Updated:  December 19, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Linksys

Updated:  December 19, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetComm Wireless Limited

Updated:  December 19, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

TP-LINK

Notified:  December 19, 2014 Updated:  December 19, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ZTE Corporation

Updated:  December 19, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ZyXEL

Updated:  December 19, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 8.5 E:POC/RL:W/RC:C
Environmental 6.4 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Shahar Tal of Check Point Software Technologies for reporting this vulnerability.

This document was written by Joel Land.

Other Information

CVE IDs: CVE-2014-9222
Date Public: 2014-12-19
Date First Published: 2014-12-19
Date Last Updated: 2017-05-09 13:32 UTC
Document Revision: 26

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.