Search

Security ID : NAS-201412-24

Security Alert for Misfortune Cookie Vulnerability on Residential Gateways

  • Release date : December 24, 2014

  • CVE identifier : CVE-2014-9222

  • Affected products: All Turbo NAS series that are connected to residential gateway devices (e.g. routers) using vulnerable versions of the Allegro RomPager embedded web server

Severity

Critical

Status

Resolved

Summary

The Misfortune Cookie vulnerability can be exploited to allow remote attackers to remotely take over a residential gateway and may execute arbitrary code on the device. Other devices that are connected to the gateway have an increased risk of compromise. Thus, the attacker can easily steal your credentials and personal or business data or attempt to infect your machines with malware.

For more information about the Misfortune Cookie vulnerability, visit the Check Point website at http://www.checkpoint.com/blog/fortune-cookie-hole-internet-gateway/.

Solution

Check for firmware updates addressing this issue from your device vendor and apply the updates immediately. If there are no such updates, contact your device vendor to see if your device is vulnerable.

There are some methods to mitigate this issue:

  1. Disable services that listen for HTTP or HTTPS connections on the device's WAN side.
  2. Technical users may consider flashing alternative firmware to their devices. However, you only apply this at your own risk and note that this action may invalidate device warranties.

For more details on the mitigation methods, visit the CERT organization website: http://www.kb.cert.org/vuls/id/561444

To make your Turbo NAS more secure, please do the following:

  1. Update your Turbo NAS to the latest firmware version or install Qfix for Bash security patch (Qfix 1.0.2 build 1008) for QTS firmware prior to 2014/10/03 (QTS 4.1.1 Build 1003).
  2. Change the default password for the admin account.
  3. Protect shared folders on your NAS with privileged access rights (non-guest rights).
  4. Force your Turbo NAS to use only HTTPs connection for secure communication. To do so, Login to your Turbo NAS as the admin, go to “Control Panel” > “System Settings”>”General Settings”> and choose the “System Administration” tab. Check the “Enable secure connection (HTTPS)” option and enter the port number, and then check the “Force secure connection (HTTPS) only” option. Click “Apply” to apply the changes.
    QNAP

If you have any questions regarding this issue, please contact us at http://helpdesk.qnap.com/

Revision History: 2014-12-24

Choose specification

      Show more Less

      Choose Your Country or Region

      open menu
      back to top