Head blueLogoText.gif NCF HelpWiki
Help | StartPage

Difference between revisions of "Misfortune Cookie Vulnerability"

From Support
Jump to navigation Jump to search
(updated text from ope mgr, formatted)
Line 1: Line 1:
In December 2014 [https://en.wikipedia.org/wiki/CERT_Coordination_Center Carnegie Mellon University CERT] [http://www.kb.cert.org/vuls/id/561444 announced] that some routers and DSL gateways have vulnerabilities that have existed in the [[firmware]] since 2002. [http://www.kb.cert.org/vuls/id/852879 further info]. Please contact NCF or bring it over if you are unsure on how to proceed.
This article is about vulnerabilities discovered on modem [[firmware]] in 2014, what it is and what to do about it.


As long as you have the following hardware versions and the latest corresponding firmware versions installed, then you are not affected.
==Background==
* TD-W8951ND: hardware v5, v6; with firmware TD-W8951ND_V5_141114 or TD-W8951ND_V6_141027
Each modem/router sold by NCF has a built-in web server to allow the modem to be configured by any computer via the browser.
* TD-8816: hardware v8; firmware TD-8816_V8_140311


Firmware version can be identified by executing the following steps:
In December 2014 [https://en.wikipedia.org/wiki/CERT_Coordination_Center Carnegie Mellon University CERT] [http://www.kb.cert.org/vuls/id/561444 announced] that some DSL modems/routers have a vulnerability that have existed in the firmware since 2002 ([http://www.kb.cert.org/vuls/id/852879 further info]). This security problem has been detected in the web server portion of the firmware used by many modems/routers, including some of those sold by NCF.
* Verify hardware version - how to find hardware version, see http://www.tplink.ca/en/Article/?id=46
* Connect your desktop or laptop to the modem via Ethernet cable - this can't be done via Wi-Fi!
* Launch a browser and type in the URL 192.168.1.1
* User: admin, PW: NCF_DSL_PW
* Click on the Maintenance tab
* Click on the Firmware tab and verify that your version is as indicated above


Notes:
==Vulnerability==
# If your modem is marked as v5 or v6, apply firmware update 141114 immediately.
The security vulnerability can be fixed in recent modems/routers by upgrading the [[firmware]], replacing the web server by a newer version that does not have the security vulnerability.
# Vulnerability is blocked from the Internet by disabling WAN ACL (log to 192.168.1.1, enter admin/DSL password, click on Access management, verify ACL is Activated, Interface LAN is selected. NCF started verifying this on all modems since July/August 2014. NCF checked and Remote Management is disabled.  
 
# Vulnerability is blocked from the LAN by using a strong Wi-Fi password (NCF applies DSL password here). If your Wi-Fi is open, your modem is open to any attack.
Older modems do not have a firmware upgrade available, so it is important to make full use of the available security to prevent outsiders from using the web server to re-configure the modem in some undesirable way.
 
It is possible to access the web server in two different ways:
 
# Connect to the web server from the outside, via the DSL line (WAN side). This route is closed if you are using a modem/router that has been configured by NCF
#Connect to the web server from the inside (LAN side), either via your wireless or via an Ethernet cable. You are not going to let some unknown person connect by Ethernet, but you also need to prevent them from connecting to it wirelessly. It is therefore very important that you have good security on your wireless network, with a good password. If the modem/router has been configured by NCF, it will have a good password (by default, NCF uses your NCF [[DSL password]] also for log-in and Wi-Fi).
 
As a general rule, if you modem/router has been configured by NCF, and you are sure that unknown persons cannot use your wireless connection, you have pretty good security against the "Misfortune Cookie" vulnerability.
 
==Fixes==
NCF has looked into this vulnerability and recommends the following steps:
 
*Verify hardware version - see [http://www.tplink.ca/en/Article/?id=46 this TP-Link page] to find hardware version
*If your modem/router is in the level identified by TP-Link as upgradable, please ensure that you update the firmware, either yourself or by contacting NCF and arranging for the update to be done for you. You'll need to bring the modem/router with its power supply to NCF. No need to bring any cables (we have those).
*If your modem/router is not upgradable, NCF highly recommends that you procure a newer modem/router, either from NCF or from a trusted store
*Regardless of the above, the following two TP-Link articles describe recommend safe practices:
**[http://www.tp-link.com/en/article/?faqid=573 How to protect your TP-LINK network devices from potential attack?]
**[http://www.tp-link.com/en/article/?faqid=308 How to disable remote management function for TP-LINK ADSL modem router]
 
As long as you have the following hardware versions and the latest corresponding firmware versions installed, then your modem/router is not affected by the Misfortune Cookie.
 
*TD-W8951ND: hardware v5 or v6; firmware TD-W8951ND_V5_141114 or TD-W8951ND_V6_141027
*TD-8816: hardware v8; firmware TD-8816_V8_140311
 
The firmware (FW) version can be identified and upgraded by executing the following steps:
 
*Ensure that you have your NCF credentials on-hand before performing the upgrade
*Connect your desktop or laptop to the modem/router via Ethernet cable - this should NOT be done via Wi-Fi!
*Launch a browser and type in the URL 192.168.1.1 (see http://www.tp-link.com/en/article/?faqid=315)
*User: admin, Password: NCF_DSL_PW (by default, NCF uses the NCF_DSL_PW also for log-in and Wi-Fi)
*Click on the maintenance or Status tabs
*Click on the Firmware tab and verify that your FW version is as indicated above. If not, [follow the TP-Link upgrade instructions http://www.tp-link.com/en/article/?faqid=296].
 
==Notes==
 
*A lot of your questions can be answered on [http://www.tp-link.com/en/support/faq/?pcid=203&problem=&m=TD-W8951ND&keywords=&faqid= TP-Links FAQs]
*Any vulnerability is blocked from the Internet by disabling WAN ACL:
**Log into 192.168.1.1
**Enter admin [[DSL password]]
**Click on Access management
**Verify ACL is activated
**Interface LAN is selected.  
*NCF started verifying this on all modems since July/August 2014. NCF checked and Remote Management is disabled. See [http://www.tp-link.com/en/article/?faqid=476 this TP-Link article]] for step-by-step instructions.
*Any vulnerability is blocked from the LAN by using a strong Wi-Fi password (NCF applies the DSL password here). If your Wi-Fi is open (no password is required to connect, like in many public places), then your modem is open to attack.


[[Category:DSL]]
[[Category:DSL]]

Revision as of 16:27, 31 December 2014

This article is about vulnerabilities discovered on modem firmware in 2014, what it is and what to do about it.

Background

Each modem/router sold by NCF has a built-in web server to allow the modem to be configured by any computer via the browser.

In December 2014 Carnegie Mellon University CERT announced that some DSL modems/routers have a vulnerability that have existed in the firmware since 2002 (further info). This security problem has been detected in the web server portion of the firmware used by many modems/routers, including some of those sold by NCF.

Vulnerability

The security vulnerability can be fixed in recent modems/routers by upgrading the firmware, replacing the web server by a newer version that does not have the security vulnerability.

Older modems do not have a firmware upgrade available, so it is important to make full use of the available security to prevent outsiders from using the web server to re-configure the modem in some undesirable way.

It is possible to access the web server in two different ways:

  1. Connect to the web server from the outside, via the DSL line (WAN side). This route is closed if you are using a modem/router that has been configured by NCF
  2. Connect to the web server from the inside (LAN side), either via your wireless or via an Ethernet cable. You are not going to let some unknown person connect by Ethernet, but you also need to prevent them from connecting to it wirelessly. It is therefore very important that you have good security on your wireless network, with a good password. If the modem/router has been configured by NCF, it will have a good password (by default, NCF uses your NCF DSL password also for log-in and Wi-Fi).

As a general rule, if you modem/router has been configured by NCF, and you are sure that unknown persons cannot use your wireless connection, you have pretty good security against the "Misfortune Cookie" vulnerability.

Fixes

NCF has looked into this vulnerability and recommends the following steps:

As long as you have the following hardware versions and the latest corresponding firmware versions installed, then your modem/router is not affected by the Misfortune Cookie.

  • TD-W8951ND: hardware v5 or v6; firmware TD-W8951ND_V5_141114 or TD-W8951ND_V6_141027
  • TD-8816: hardware v8; firmware TD-8816_V8_140311

The firmware (FW) version can be identified and upgraded by executing the following steps:

  • Ensure that you have your NCF credentials on-hand before performing the upgrade
  • Connect your desktop or laptop to the modem/router via Ethernet cable - this should NOT be done via Wi-Fi!
  • Launch a browser and type in the URL 192.168.1.1 (see http://www.tp-link.com/en/article/?faqid=315)
  • User: admin, Password: NCF_DSL_PW (by default, NCF uses the NCF_DSL_PW also for log-in and Wi-Fi)
  • Click on the maintenance or Status tabs
  • Click on the Firmware tab and verify that your FW version is as indicated above. If not, [follow the TP-Link upgrade instructions http://www.tp-link.com/en/article/?faqid=296].

Notes

  • A lot of your questions can be answered on TP-Links FAQs
  • Any vulnerability is blocked from the Internet by disabling WAN ACL:
    • Log into 192.168.1.1
    • Enter admin DSL password
    • Click on Access management
    • Verify ACL is activated
    • Interface LAN is selected.
  • NCF started verifying this on all modems since July/August 2014. NCF checked and Remote Management is disabled. See this TP-Link article] for step-by-step instructions.
  • Any vulnerability is blocked from the LAN by using a strong Wi-Fi password (NCF applies the DSL password here). If your Wi-Fi is open (no password is required to connect, like in many public places), then your modem is open to attack.