Misfortune Cookie is a firmware vulnerability in the firmware for some routers.
Once the embedded software running the device is exploited, the attacker can gain a command line interface (CLI). The device can then be used to gather data, steal credentials or upload malicious files to connected computers and compromise the network.
When the flaw was discovered in late 2014, it had already been in existence for a decade. The source of the issue is an error in the HTTP cookie-management mechanism in the device software. All the attacker has to do is send a single packet containing a malicious HTTP cookie to begin an exploit.
Lior Oppenheim, a researcher for network and endpoint security vendor Check Point Software Technologies Ltd., discovered the flaw, officially known as CVE-2014-9222. According to Check Point, the vulnerability affects over 12 million affected devices in 200 different models. Any unpatched model using RomPager embedded web server software in a version earlier than v. 4.34 may be vulnerable.
Although there have not yet been any documented Misfortune Cookie router attacks, Check Point is publicizing the vulnerability as a wake-up call for small office and home (SOHO) networks and the embedded device industry.
See also: embedded device hacking