Four years after its public disclosure, the Misfortune Cookie vulnerability continues to be a threat, this time affecting medical equipment that connects bedside devices to the hospital's network infrastructure.
The vulnerability has a critical severity rating and was reported initially in 2014 by security researchers at Check Point, who found it lodged in some versions of the RomPager embedded web server, used for hosting the web-based administration panel by about 200 router models from different makers.
Elad Luz, Head of Reasearch at CyberMDX, a company focused on security challenges in hospitals and clinical networks, found that the same versions of RomPager (4.01 through 4.34 ) affected by the Misfortune Cookie ran on different variants of Capsule Datacatptor Terminal Server (DTS) that is part of the medical device information system.
The device is used in hospitals to connect bedside equipment (anesthesia and infusion pumps, respirators and IoT products) to the network.
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an alert for the vulnerability, now tracked as CVE-2014-9222, informing that it has a severity score of 9.8 out of 10.
"This vulnerability allows an attacker to send a specially crafted HTTP cookie to the web management portal to write arbitrary data to the device memory, which may allow remote code execution," informs the ICS-CERT alert.
Capsule Technologies, a Qualcomm Life subsidiary, has released a patch to fix the vulnerability, but it applies just to the Single Board variant of the DTS, from 2009.
Technical limitations prevent the firmware to work on The Dual Board, Capsule Digi Connect ES and Capsule Digi Connect ES converted to DTS. To mitigate the risk on these products administrators should disable the embedded server, which is necessary only during the initial deployment stage, for configuration purposes.
Exploit code for this security bug is freely available, and attackers can adapt it for their needs and purposes. More than this, a module is present in the Metasploit penetration testing tool to get admin access to the device without providing credentials.
RomPager is developed by Allegro Software, and it is one of the most used OEM web servers on the market today. The company claims that the product is present on more than 200 million devices shipped by its partners around the world.
Although Misfortune Cookie gained public notoriety in 2014, Allegro Aoftware actually discovered and patched it nine years earlier, in version 4.34 of the firmware.
However, chipset manufacturers did not adopt the new versions, which would have cost them a new license, and continued to bundle the vulnerable releases into their SDKs (software development kits). The SDKs are used by the device makers to develop firmware, and they do not have control over the software that comes with them.
The devices that came with RomPager versions vulnerable to CVE-2014-9222 could not be updated unless the chipset maker provided a new SDK with a newer software.
This led to the propagation of the critical security issue over the years, for as long as users continued to use their devices.
13 years after Allegro dealt with the problem, and four years after the issue came to the public attention, there are plenty of products susceptible to compromise via Misfortune Cookie. A cursory search on Shodan shows that over one million devices connected to the internet run RomPager 4.07.
The number is much lower than the 12 million unique devices directly exploitable over the web detected by Check Point in 2014, but it still is a significant figure.