Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 6 subscribers
  • Views 9693 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Misfortune Cookie

ID2015

A vulnerability which uses a malformed Cookie to take control of many SOHO routers,  has been identified by Checkpoint and dubbed Misfortune Cookie with the label CVE-2014-9222

Do the latest Mac virus definitions from Sophos protect against this?

:1020065


This thread was automatically locked due to age.
Parents
  • 0

    Having had another read of the advisory I'm beginning to think I've misunderstood how this operates.  My understanding was that an infected website transmits a malformed cookie which then attacks the router from the LAN side.

    I think this is probably wrong and the attack is from the WAN side utilising the remote access web server that many routers contain to facilitate remote support via TR-069.  If this is the case then QC is correct that AV will do nothing to protect against it, although Checkpoint imply in their statement that AV - in their case ZoneAlarm - would offer some protection.  I suppose they would say that wouldn't they.....

    If the attack does come from outside then as firmware patches tend to have a lengthy gestation, switiching off remote access via the WAN offers some protection, although an alternative brand of router is possibly a better long term bet.  

    Asus routers get patched pretty frequently and I know that Drayteks, at least in the current models, don't use any of the offending code.

    I'd be interested to hear from someone more knowledgeable, if my interpretation of the attack vector is correct and that attack is only possible from the WAN side in the manner I describe.

    :1020070
Reply
  • 0

    Having had another read of the advisory I'm beginning to think I've misunderstood how this operates.  My understanding was that an infected website transmits a malformed cookie which then attacks the router from the LAN side.

    I think this is probably wrong and the attack is from the WAN side utilising the remote access web server that many routers contain to facilitate remote support via TR-069.  If this is the case then QC is correct that AV will do nothing to protect against it, although Checkpoint imply in their statement that AV - in their case ZoneAlarm - would offer some protection.  I suppose they would say that wouldn't they.....

    If the attack does come from outside then as firmware patches tend to have a lengthy gestation, switiching off remote access via the WAN offers some protection, although an alternative brand of router is possibly a better long term bet.  

    Asus routers get patched pretty frequently and I know that Drayteks, at least in the current models, don't use any of the offending code.

    I'd be interested to hear from someone more knowledgeable, if my interpretation of the attack vector is correct and that attack is only possible from the WAN side in the manner I describe.

    :1020070
Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?