Please Apply Our 10 Year-Old Patch: The Dismal State of Embedded Device Security

A vulnerability in software that runs on some 12 million home routers underscores the challenge of managing the security of embedded systems and so-called "customer premises equipment." (Image courtesy of foodiggity.com)
A vulnerability in software that runs on some 12 million home routers underscores the challenge of managing the security of embedded systems and so-called “customer premises equipment.” (Image courtesy of foodiggity.com)

On Friday, the firm Allegro Software of Boxborough, Massachusetts, released an odd-sounding statement encouraging all its customers to “maintain firmware for highest level of embedded device security.”

Specifically, Allegro wanted to warn customers about the need to apply a software update to address two recently discovered vulnerabilities affecting its Rom Pager embedded web server: CVE-2014-9222 and CVE-2014-9223, collectively known as the “Misfortune Cookie” vulnerabilities. That patch in question was released almost ten years ago – in 2005.

As reported widely last week, the vulnerabilities affecting the Rom Pager software can be found in some 12 million broadband routers by manufacturers including Linksys, D-Link, Huawei, TP-Link, ZTE and Edimax. In short: some of the most common sellers of broadband routers in the world.

The security firm CheckPoint discovered the vulnerabilities and issued a report about them. (The report web site is here and a PDF format report is here.) According to CheckPoint, the Misfortune Cookie vulnerability has to do with a flaw in the HTTP cookie management mechanism in the Rom Pager software. The flaw allows an attacker to  send specially crafted HTTP cookies that exploit the vulnerability.

 

[Listen to this podcast: How Connected Consumer Devices Fail The Security Test]

A successful attack that exploited the “Misfortune Cookie” vulnerabilities could corrupt memory and alter the application and system state. A knowledgeable attacker could use the flow to force the vulnerable router to treat the current HTTP session with administrative privileges. That would give them the ability to manipulate the home router: changing DNS settings to redirect users to malicious servers under the attackers control, for example, or employing the home router itself in a botnet used for denial of service attacks or spam campaigns.

Nasty stuff – to be sure. But that brings us back to the Allegro statement from Friday. Because, as the company said, “Misfortune Cookie” wasn’t news to Allegro – it had identified and patched the holes in a software update back in 2005.

As often is the case in the embedded systems space, however, that software update wasn’t circulated to devices that bundle Rom Pager in the field. Allegro, which is now shipping Rom Pager version 5.40, said it doesn’t have the ability to update devices running its software.

[Read more about the security of embedded devices here.]

“Unfortunately, not all manufacturers using Allegro Software products have updated their devices with the latest Rom Pager software component,” the company wrote.

Consider that for a moment – buying a new laptop computer from Dell, or HP only to find that it shipped with Office 97 installed – and the (many) security holes that go along with that software? Users would be outraged.

In the embedded systems space, however, this kind of practice is common. As Allegro notes in its message to customers: “In some cases, manufacturers continue to make and sell products with software components that are over 13 years old, which can expose products to security concerns.”

CheckPoint’s research note explains that applications like Rom Pager are often bundled with chipsets that are used to construct devices like home routers. “The way application updates are integrated in router firmware, many devices ship with the vulnerable version in place,” Check Point noted.

To patch Misfortune Cookie, router manufacturers will first need to get a patched version of Rom Pager, then integrate it into the current firmware for each vulnerable router model. Then they’ll need to install that firmware on the vulnerable routers. Considering that ISPs are loath to modify CPE (customer premises equipment) for fear of disabling features, and that most customers wouldn’t know their home router from a clock radio, you can see why – ten years after the fact – millions of home routers remain vulnerble while Allegro’s patch gathers dust.

Security vulnerabilities affecting small office and home office (SoHo) equipment are a pressing issue, as cyber criminal groups are increasingly going after the loosely managed, Internet connected devices. In October, the firm Rapid7 warned of implementation and configuration vulnerabilities in NAT-PMP features in more than 1 million SoHo routers that makes them potentially vulnerable to remote attacks that could expose private internal network traffic to prying eyes.

In September researchers at the firm Sucuri warned of a web-based attack launched from the site of a popular Brazilian newspaper that was targeting home broadband routers. And, in July, the Electronic Frontier Foundation launched the Open Wireless Router Project to develop a secure alternative to commercial SOHO routers that are more secure and can operate in a peer-to-peer mode.

2 Comments

  1. Whoa! This blog looks exacftly lioke my old one! It’s on a totally different topic but it
    has pretty much thee same page layout and design. Wonderful
    choice of colors!

  2. Pingback: The Enduring Terribleness of Home Router Security Matters to IoT | The Security Ledger