cancel
Showing results for 
Search instead for 
Did you mean: 

Is TG582n vulnerable to Misfortune Cookie?

BrianC
Dabbler
Posts: 15
Thanks: 4
Registered: 12-12-2013

Is TG582n vulnerable to Misfortune Cookie?

Misfortune Cookie: The Hole in Your Internet Gateway
http://mis.fortunecook.ie/
http://www.checkpoint.com/blog/fortune-cookie-hole-internet-gateway/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9222%20
"Is it that bad?
Yes."
The TG582n is not listed in the known vulnerable routers - but conversely, have Plusnet verified it to be safe?
The vulnerability relates to a specific version of a specific embedded webserver prevalent in consumer routers from various vendors. But unfortunately the TG582n blanks out the server identity in its HTTP response, which means we have no idea what it's running.

$ telnet x.x.x.x 80
Trying x.x.x.x...
Connected to dsldevice.lan.
Escape character is '^]'.
GET / HTTP/1.0
HTTP/1.0 302 Moved Temporarily
Date: Fri, 19 Dec 2014 11:19:30 GMT
Server:
Cache-control: no-cache="set-cookie"
ETag: "xxx-xxxxxxxx"
Content-length: 0
Connection: close
Set-Cookie: xAuth_SESSION_ID=xxxxxxxxxxxxxxxx; path=/;
Location: http://127.0.0.1:80/landing.lp
Connection closed by foreign host.
12 REPLIES
Community Veteran
Posts: 38,460
Thanks: 1,027
Fixes: 62
Registered: 15-06-2007

Re: Is TG582n vulnerable to Misfortune Cookie?

http://www.ispreview.co.uk/index.php/2014/12/masses-broadband-routers-hit-misfortune-cookie-security... and the concern appears to relate to the use of TR69
Moved to Feedback as it isn't fibre specific
A thought - does blocking cookies in the browser stop this and is it related to this in my router log
Quote
FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 125.41.79.63 Dst ip: 81.174.***.*** Type: Destination Unreachable Code: Port Unreacheable
Note the router can't spell either  Grin
BrianC
Dabbler
Posts: 15
Thanks: 4
Registered: 12-12-2013

Re: Is TG582n vulnerable to Misfortune Cookie?

Quote from: Oldjim
A thought - does blocking cookies in the browser stop this

No - this is about people on the Internet being able to break into your router from the outside. This will happen even if all your PCs are turned off, but the router is switched on.
"All an attacker needs in order to exploit Misfortune Cookie is to send a single packet to your public IP address."
Quote
FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 125.41.79.63 Dst ip: 81.174.***.*** Type: Destination Unreachable Code: Port Unreacheable

The first IP address is in China, however the firewall log message is next to useless.
Either it means someone in China tried to connect to your router on a port which was not open (in which case your router would have sent back an ICMP "port unreachable"). Or it coule be the opposite: your machine tried to connect outbound to this IP in China and the response back was ICMP "port unreachable", and the firewall has logged this response.
RwhinnieWHP
Newbie
Posts: 1
Registered: 19-12-2014

Re: Is TG582n vulnerable to Misfortune Cookie?

What is the position regarding Plusnet supplied routers and the Misfortune Cookie” ?, are there any things we need to be aware of or do?
Community Veteran
Posts: 38,460
Thanks: 1,027
Fixes: 62
Registered: 15-06-2007

Re: Is TG582n vulnerable to Misfortune Cookie?

Topic merged in from ADSL
Community Gaffer
Community Gaffer
Posts: 17,644
Thanks: 636
Fixes: 162
Registered: 05-04-2007

Re: Is TG582n vulnerable to Misfortune Cookie?

The 582n isn't on the list of affected routers, but we're checking this to confirm. When we have more information we'll get back to you.
If this post resolved your issue please click the 'This fixed my problem' button
 Chris Parr
 Plusnet Staff
PeeGee
Aspiring Pro
Posts: 1,087
Thanks: 47
Fixes: 3
Registered: 05-04-2009

Re: Is TG582n vulnerable to Misfortune Cookie?

All the TP-link entries in the list are "TD-.....", which means an integrated modem device, there are no "TL-...." routers listed nor the latest Archer models. Does this apply to other makes?
Plusnet Fibre (Sep 2014), Essentials (Feb 2013); ADSL (Apr 2009); Customer since Jan 2004 (on 28kb dial-up)
Using a TP-Link TD-W9980 modem-router.
pribeiro
Newbie
Posts: 4
Registered: 19-12-2014

Re: Is TG582n vulnerable to Misfortune Cookie?

Any updates on this?
This is a pretty serious vulnerability...
Plusnet Staff
Plusnet Staff
Posts: 1,834
Thanks: 3
Registered: 24-07-2014

Re: Is TG582n vulnerable to Misfortune Cookie?

I'm chasing this for you and hope to have more information shortly.
 Tony
 Plusnet Support
pribeiro
Newbie
Posts: 4
Registered: 19-12-2014

Re: Is TG582n vulnerable to Misfortune Cookie?

Still waiting...
Plusnet Staff
Plusnet Staff
Posts: 1,834
Thanks: 3
Registered: 24-07-2014

Re: Is TG582n vulnerable to Misfortune Cookie?

Sorry for the delay in getting back to you. The people that I wanted to speak with haven't been about.
Technicolor have confirmed that the TG582n is NOT vulnerable to the Misfortune cookie bug.

 Tony
 Plusnet Support
Longliner
Grafter
Posts: 33
Fixes: 1
Registered: 22-10-2014

Re: Is TG582n vulnerable to Misfortune Cookie?

I was concerned about this too. Thank you for your assurance.
pribeiro
Newbie
Posts: 4
Registered: 19-12-2014

Re: Is TG582n vulnerable to Misfortune Cookie?

Thanks Tony!