Difference between revisions of "Misfortune Cookie Vulnerability"
m (Xx176 moved page Misfortune Cookie vulnerability of TP-Link modems to Misfortune Cookie Vulnerability) |
|||
(85 intermediate revisions by 6 users not shown) | |||
Line 1: | Line 1: | ||
<div class="ncfrightbox"> {{Template:Modem Links}} </div> | |||
This article is about the | |||
This article is about the ''Misfortune Cookie'' vulnerability discovered on modem [[firmware]] in 2014, what it is and what to do about it. | |||
==Background== | ==Background== | ||
Each modem/router has a built-in web server that allows the modem to be configured by any computer via any browser. | Each modem/router has a built-in web server that allows the modem to be configured by any computer via any browser. | ||
In December 2014 [https://en.wikipedia.org/wiki/CERT_Coordination_Center Carnegie Mellon University CERT], based on findings by researchers from Check Point’s Malware and Vulnerability Research Group, [http://www.kb.cert.org/vuls/id/561444 discovered] that some DSL modems/routers have a vulnerability that has existed in the | In December 2014 [https://en.wikipedia.org/wiki/CERT_Coordination_Center Carnegie Mellon University CERT], based on findings by researchers from Check Point’s Malware and Vulnerability Research Group, [http://www.kb.cert.org/vuls/id/561444 discovered] that some DSL modems/routers have a vulnerability that has existed in the firmware since 2002. This problem has been detected in the vulnerable versions of Allegro's RomPager that is part of the built-in web server portion of the firmware employed by many modems/routers, including some of those sold by NCF. | ||
For list of affected modem and if they are upgradable or not, continue to read this page, scroll down or check these links [[CERT-announced_vulnerability_of_TP-Link_modem/router#Upgradable_Units|Upgradable Units]] or [[CERT-announced_vulnerability_of_TP-Link_modem/router#Non-Upgradable_Units|Non-Upgradable Units]] | |||
==Vulnerability== | ==Vulnerability== | ||
The security vulnerability can be fixed in recent modems/routers by upgrading the | The security vulnerability can be fixed in recent modems/routers by upgrading the firmware, replacing the web server with a newer version that does not have the security vulnerability. | ||
Older modems do not have a | Older modems do not have a firmware upgrade available, so it is important to make full use of the available security measures to prevent outsiders from using the web server to re-configure the modem in some undesirable way. | ||
It is possible to access the web server in two different ways: | It is possible to access the built-in web server in two different ways: | ||
# Connect to the web server from the outside, via the DSL line (WAN side). | # Connect to the built-in web server from the outside, via the DSL line (WAN side). We believe that this route is closed if you are using a modem/router that has been configured by NCF - see Notes 2 & 3 below. '''Note''': we are checking if any additional 'holes' exists, and if yes, on how to plug them. One such 'hole' was identified by NCF and a fix was implemented locally. | ||
#Connect to the web server from the inside (LAN side), either via your Wi-Fi network or via an Ethernet cable. We assume that you are not going to let untrusted person/s connect to your LAN via Ethernet, so in the same manner you also need to prevent them from connecting to it wirelessly. It is therefore very important that you have good security on your Wi-Fi network, with a good password. If the modem/router has been configured by NCF, it will have a good password (by default, NCF uses your NCF [[DSL password]] also for log-in and Wi-Fi). | #Connect to the built-in web server from the inside (LAN side), either via your Wi-Fi network or via an Ethernet cable. We assume that you are not going to let untrusted person/s connect to your LAN via Ethernet, so in the same manner you also need to prevent them from connecting to it wirelessly. It is therefore very important that you have good security on your Wi-Fi network, with a good password. If the modem/router has been configured by NCF, it will have a good password (by default, NCF uses your NCF [[DSL password]] also for log-in and Wi-Fi). | ||
As a general rule, if your modem/router has been configured by NCF, and you are sure that unknown persons cannot use your Wi-Fi network, you have pretty good security against the "Misfortune Cookie" vulnerability. | As a general rule, if your modem/router has been configured by NCF, meets the hardware/firmware criteria below, and you are sure that unknown persons cannot use your Wi-Fi network, you have pretty good security against the "Misfortune Cookie" vulnerability from the LAN side. The WAN side potential exposure is being investigated and NCF is taking every possible step to ensure your modem/router can't be exploited. | ||
==Fixes== | ==Fixes== | ||
NCF has looked into this vulnerability and strongly recommends that you perform the following steps: | NCF has looked into this vulnerability and '''strongly recommends''' that you perform the following steps: | ||
*Verify the hardware version - see [http://www. | *Verify the hardware version - see [http://www.tp-link.com/ca/faq-46.html this TP-Link page] on how to find hardware version | ||
*If your modem/router is in the level identified by TP-Link as upgradable (8951: | *If your modem/router is in the level identified by TP-Link as upgradable (8951: v5 or v6, 8816: v8), please ensure that you update the firmware ASAP, either by yourself (if you are comfortable doing so) or by contacting NCF and arranging for the update to be done for you. You'll need to bring the modem/router with its power supply to NCF. No need to bring any cables (we have those). | ||
*If your modem/router is not upgradable, NCF strongly recommends that you procure a newer modem/router, either from NCF or from a trusted store. | *If your modem/router is not upgradable, NCF '''strongly recommends''' that you procure a newer modem/router, either from NCF or from a trusted store. | ||
*Carnegie Mellon University CERT [http://www.kb.cert.org/vuls/id/561444 | *Alternately, Carnegie Mellon University CERT [http://www.kb.cert.org/vuls/id/561444 suggests] that units that do not have new firmware available can have their firmware replaced with [https://en.wikipedia.org/wiki/DD-WRT dd-wrt], [https://en.wikipedia.org/wiki/OpenWrt openwrt], or [https://en.wikipedia.org/wiki/List_of_wireless_router_firmware_projects others]. NCF members can do this themselves at their own risk. | ||
*Regardless of the above, the following two TP-Link articles describe recommended safe practices: | *Regardless of the above, the following two TP-Link articles describe recommended safe practices: | ||
**[http://www.tp-link.com/en/article/?faqid=573 How to protect your TP-LINK network devices from potential attack?] | **[http://www.tp-link.com/en/article/?faqid=573 How to protect your TP-LINK network devices from potential attack?] | ||
**[http://www.tp-link.com/en/article/?faqid=308 How to disable remote management function for TP-LINK ADSL modem router] | **[http://www.tp-link.com/en/article/?faqid=308 How to disable remote management function for TP-LINK ADSL modem router] | ||
As long as you have the following hardware versions and the latest corresponding firmware versions installed, then your modem/router is not affected by the Misfortune Cookie. | ==Upgradable Units== | ||
[[File:TP-Link TD-W8951ND.jpg|thumb|right|250px|A TP-Link TD-W8951ND modem]] | |||
As long as you have the following hardware versions and the latest corresponding firmware versions installed, then your modem/router is not affected by the Misfortune Cookie. | |||
*TD-W8951ND: | All firmware updates (as given [http://www.tp-link.com/lk/support/download/?pcid=203&model=&all=0 here, select your specific modem]) that state “Improved security mechanism” have port 7547 (CWMP, remote management) closed by default. | ||
** | |||
** | *'''Sold by NCF''' | ||
*TD- | **TD-W8951ND, Hardware v5: Firmware needs to be upgraded to TD-W8951ND_V5_160113 - zipped file is not longer available. | ||
**TD-8816, Hardware v8.x: Firmware needs to be upgraded to TD-8816_V8_160112 - zipped file is located [http://www.tp-link.com/res/down/soft/TD-8816(UN)_V8_160112.zip here]. | |||
* '''Not sold by NCF''' - this information is shared as provided by TP-Link, no implicit or explicit NCF guarantee about its accuracy or validity: | |||
**TD-W8961ND, Hardware v4: Firmware needs to be upgraded to TD-W8961ND_V4_150630 - zipped file is not longer available. | |||
**TD-W8961ND, Hardware v3: Firmware needs to be upgraded to TD-W8961ND_V3_150707 - zipped file is not longer available. | |||
**TD-W8951ND, Hardware v6: Firmware needs to be upgraded to TD-W8951ND_V6_150522 - zipped file is located [http://www.tp-link.com/resources/software/TD-W8951ND_V6_150522.zip here] | |||
**TD-W8901N, Hardware v1: Firmware needs to be upgraded to TD-W8901N_V1_141114 - zipped file is located [http://www.tp-link.com/resources/software/TD-W8901N_V1_141114.zip here]. | |||
**TD-W8901N, Hardware v2: Firmware needs to be upgraded to TD-W8901N_V2_141103 - zipped file is located [http://www.tp-link.com/resources/software/TD-W8901N_V2_141103.zip here]. | |||
The firmware (FW) version can be identified and upgraded by executing the following steps: | The firmware (FW) version can be identified and upgraded by executing the following steps: | ||
*Ensure that you have your NCF credentials on-hand '''before''' performing the upgrade | *Ensure that you have your NCF credentials on-hand '''before''' performing the upgrade | ||
*Connect your desktop or laptop to the modem/router '''via Ethernet cable''' - this should '''NOT''' be done via Wi-Fi! If you try to perform this via your Wi-Fi connection, you'll see the following message: | *Connect your desktop or laptop to the modem/router '''via Ethernet cable''' - this should '''NOT''' be done via Wi-Fi! If you try to perform this via your Wi-Fi connection, you'll see the following message: ''ERROR: FAIL TO UPDATE! Please note that only wired connection is allowed when using firmware upgrade or RomFile backup & upgrade function.'' | ||
*Launch a browser and type in the URL '''192.168.1.1''' (see [http://www.tp-link.com/en/article/?faqid=315 this TP-Link article]) | *Launch a browser and type in the URL '''192.168.1.1''' (see [http://www.tp-link.com/en/article/?faqid=315 this TP-Link article]) | ||
*'''Username: admin''', '''Password: | *'''Username: admin''', '''[[Passwords|Password: NCF DSL password]]''' (by default, NCF uses the '''NCF DSL password''' also as the '''log-in_password''' and '''Wi-Fi''' Pre-Shared Key) | ||
*Click on the '''Maintenance''' tab | *Click on the '''Maintenance''' tab | ||
*Click on the '''Firmware''' tab and verify that your FW version is as indicated above. If not, [http://www.tp-link.com/en/ | *Click on the '''Firmware''' tab and verify that your FW version is as indicated above. If not, [http://www.tp-link.com/en/faq-688.html follow the TP-Link upgrade instructions]. | ||
==Non-Upgradable Units== | |||
*TD-W8951ND, Hardware v4: '''at risk''' - TP-Link has not issued a firmware fix | |||
*TD-8816: Hardware v7: '''at risk''' - TP-Link has not issued a firmware fix | |||
*TD-W8901G: '''at risk''' - the unit has reached end-of-life (EOL) and is no longer supported by the manufacturer. TP-Link has not issued a firmware fix | |||
*TD-8840T: '''at risk''' - TP-Link has not issued a firmware fix | |||
==Notes== | ==Notes== | ||
# A lot of your questions can be answered on [http://www.tp-link.com/en/support/faq/?pcid=203&problem=&m=TD-W8951ND&keywords=&faqid= TP-Links FAQs], feel free to browse | # A lot of your questions can be answered on [http://www.tp-link.com/en/support/faq/?pcid=203&problem=&m=TD-W8951ND&keywords=&faqid= TP-Links FAQs], feel free to browse<br> | ||
# WAN vulnerability is blocked from the Internet by disabling WAN access via ACL (Access Control Level) settings: | # WAN vulnerability (subject to the '''Note''' above, in the [https://www.ncf.ca/ncf/support/wiki/CERT-announced_vulnerability_of_TP-Link_modem/router#Vulnerability Vulnerability] section) is blocked from the Internet by disabling WAN access via ACL (Access Control Level) settings:<br> | ||
#* Log into '''192.168.1.1''', press Enter | #* Log into '''192.168.1.1''', press Enter | ||
#* Enter '''Username: admin''' & '''Password: | #* Enter '''Username: admin''' & '''[[Passwords|Password: NCF DSL password]]''', click on the '''Login''' button | ||
#* Click on '''Access Management''' tab | #* Click on '''Access Management''' tab | ||
#* Verify that '''ACL: Activated''' is selected. If not, do so | #* Verify that '''ACL: Activated''' is selected. If not, do so | ||
#* Verify that '''Interface: LAN''' is selected. If not, do so | #* Verify that '''Interface: LAN''' is selected. If not, do so | ||
# NCF started disabling WAN access via ACL on all modems since July/August 2014. NCF also checked that '''Remote Management''' port is disabled. See [http://www.tp-link.com/en/article/?faqid=476 this TP-Link article] for further step-by-step instructions | #* Click '''Save'''<br> | ||
# NCF started disabling WAN access via ACL on all modems since July/August 2014. NCF also checked that '''Remote Management''' port is disabled. See [http://www.tp-link.com/en/article/?faqid=476 this TP-Link article] for further step-by-step instructions<br> | |||
# LAN vulnerability is blocked from the LAN by using a strong Wi-Fi password (NCF applies the NCF_DSL_password here). If your Wi-Fi is open (where, in like many public Wi-Fi access places, no password is required to connect), then your modem is open to attack. We strongly advise that you implement '''Authentication Type: WPA-PSK/WPA2-PSK''' with '''Encryption: TKIP/AES''' to secure your Wi-Fi network with the highest available settings | # LAN vulnerability is blocked from the LAN by using a strong Wi-Fi password (NCF applies the NCF_DSL_password here). If your Wi-Fi is open (where, in like many public Wi-Fi access places, no password is required to connect), then your modem is open to attack. We strongly advise that you implement '''Authentication Type: WPA-PSK/WPA2-PSK''' with '''Encryption: TKIP/AES''' to secure your Wi-Fi network with the highest available settings | ||
Line 62: | Line 82: | ||
[[Category:DSL]] | [[Category:DSL]] | ||
[[Category:Modems]] | |||
[[Category:Privacy and Security]] |
Latest revision as of 09:12, 13 September 2018
This article is about the Misfortune Cookie vulnerability discovered on modem firmware in 2014, what it is and what to do about it.
Background
Each modem/router has a built-in web server that allows the modem to be configured by any computer via any browser.
In December 2014 Carnegie Mellon University CERT, based on findings by researchers from Check Point’s Malware and Vulnerability Research Group, discovered that some DSL modems/routers have a vulnerability that has existed in the firmware since 2002. This problem has been detected in the vulnerable versions of Allegro's RomPager that is part of the built-in web server portion of the firmware employed by many modems/routers, including some of those sold by NCF.
For list of affected modem and if they are upgradable or not, continue to read this page, scroll down or check these links Upgradable Units or Non-Upgradable Units
Vulnerability
The security vulnerability can be fixed in recent modems/routers by upgrading the firmware, replacing the web server with a newer version that does not have the security vulnerability.
Older modems do not have a firmware upgrade available, so it is important to make full use of the available security measures to prevent outsiders from using the web server to re-configure the modem in some undesirable way.
It is possible to access the built-in web server in two different ways:
- Connect to the built-in web server from the outside, via the DSL line (WAN side). We believe that this route is closed if you are using a modem/router that has been configured by NCF - see Notes 2 & 3 below. Note: we are checking if any additional 'holes' exists, and if yes, on how to plug them. One such 'hole' was identified by NCF and a fix was implemented locally.
- Connect to the built-in web server from the inside (LAN side), either via your Wi-Fi network or via an Ethernet cable. We assume that you are not going to let untrusted person/s connect to your LAN via Ethernet, so in the same manner you also need to prevent them from connecting to it wirelessly. It is therefore very important that you have good security on your Wi-Fi network, with a good password. If the modem/router has been configured by NCF, it will have a good password (by default, NCF uses your NCF DSL password also for log-in and Wi-Fi).
As a general rule, if your modem/router has been configured by NCF, meets the hardware/firmware criteria below, and you are sure that unknown persons cannot use your Wi-Fi network, you have pretty good security against the "Misfortune Cookie" vulnerability from the LAN side. The WAN side potential exposure is being investigated and NCF is taking every possible step to ensure your modem/router can't be exploited.
Fixes
NCF has looked into this vulnerability and strongly recommends that you perform the following steps:
- Verify the hardware version - see this TP-Link page on how to find hardware version
- If your modem/router is in the level identified by TP-Link as upgradable (8951: v5 or v6, 8816: v8), please ensure that you update the firmware ASAP, either by yourself (if you are comfortable doing so) or by contacting NCF and arranging for the update to be done for you. You'll need to bring the modem/router with its power supply to NCF. No need to bring any cables (we have those).
- If your modem/router is not upgradable, NCF strongly recommends that you procure a newer modem/router, either from NCF or from a trusted store.
- Alternately, Carnegie Mellon University CERT suggests that units that do not have new firmware available can have their firmware replaced with dd-wrt, openwrt, or others. NCF members can do this themselves at their own risk.
- Regardless of the above, the following two TP-Link articles describe recommended safe practices:
Upgradable Units
As long as you have the following hardware versions and the latest corresponding firmware versions installed, then your modem/router is not affected by the Misfortune Cookie.
All firmware updates (as given here, select your specific modem) that state “Improved security mechanism” have port 7547 (CWMP, remote management) closed by default.
- Sold by NCF
- TD-W8951ND, Hardware v5: Firmware needs to be upgraded to TD-W8951ND_V5_160113 - zipped file is not longer available.
- TD-8816, Hardware v8.x: Firmware needs to be upgraded to TD-8816_V8_160112 - zipped file is located here.
- Not sold by NCF - this information is shared as provided by TP-Link, no implicit or explicit NCF guarantee about its accuracy or validity:
- TD-W8961ND, Hardware v4: Firmware needs to be upgraded to TD-W8961ND_V4_150630 - zipped file is not longer available.
- TD-W8961ND, Hardware v3: Firmware needs to be upgraded to TD-W8961ND_V3_150707 - zipped file is not longer available.
- TD-W8951ND, Hardware v6: Firmware needs to be upgraded to TD-W8951ND_V6_150522 - zipped file is located here
- TD-W8901N, Hardware v1: Firmware needs to be upgraded to TD-W8901N_V1_141114 - zipped file is located here.
- TD-W8901N, Hardware v2: Firmware needs to be upgraded to TD-W8901N_V2_141103 - zipped file is located here.
The firmware (FW) version can be identified and upgraded by executing the following steps:
- Ensure that you have your NCF credentials on-hand before performing the upgrade
- Connect your desktop or laptop to the modem/router via Ethernet cable - this should NOT be done via Wi-Fi! If you try to perform this via your Wi-Fi connection, you'll see the following message: ERROR: FAIL TO UPDATE! Please note that only wired connection is allowed when using firmware upgrade or RomFile backup & upgrade function.
- Launch a browser and type in the URL 192.168.1.1 (see this TP-Link article)
- Username: admin, Password: NCF DSL password (by default, NCF uses the NCF DSL password also as the log-in_password and Wi-Fi Pre-Shared Key)
- Click on the Maintenance tab
- Click on the Firmware tab and verify that your FW version is as indicated above. If not, follow the TP-Link upgrade instructions.
Non-Upgradable Units
- TD-W8951ND, Hardware v4: at risk - TP-Link has not issued a firmware fix
- TD-8816: Hardware v7: at risk - TP-Link has not issued a firmware fix
- TD-W8901G: at risk - the unit has reached end-of-life (EOL) and is no longer supported by the manufacturer. TP-Link has not issued a firmware fix
- TD-8840T: at risk - TP-Link has not issued a firmware fix
Notes
- A lot of your questions can be answered on TP-Links FAQs, feel free to browse
- WAN vulnerability (subject to the Note above, in the Vulnerability section) is blocked from the Internet by disabling WAN access via ACL (Access Control Level) settings:
- Log into 192.168.1.1, press Enter
- Enter Username: admin & Password: NCF DSL password, click on the Login button
- Click on Access Management tab
- Verify that ACL: Activated is selected. If not, do so
- Verify that Interface: LAN is selected. If not, do so
- Click Save
- NCF started disabling WAN access via ACL on all modems since July/August 2014. NCF also checked that Remote Management port is disabled. See this TP-Link article for further step-by-step instructions
- LAN vulnerability is blocked from the LAN by using a strong Wi-Fi password (NCF applies the NCF_DSL_password here). If your Wi-Fi is open (where, in like many public Wi-Fi access places, no password is required to connect), then your modem is open to attack. We strongly advise that you implement Authentication Type: WPA-PSK/WPA2-PSK with Encryption: TKIP/AES to secure your Wi-Fi network with the highest available settings