Allegro RomPager 4.07 < 4.34 Multiple Vulnerabilities (Misfortune Cookie)

Critical Nessus Network Monitor Plugin ID 8614

Synopsis

According to its banner, the remote host is running an embedded web server which may be vulnerable to multiple attack vectors.

Description

The remote host is running RomPager, an embedded web server most often used to provide web administration capabilities for networked printers, network switches, and other devices.

Versions of RomPager 4.07 and prior to 4.34 are potentially affected by multiple issues :

- A buffer overflow vulnerability exists because the RomPager web server fails to perform adequate bounds checks on user-supplied input. Attackers can exploit this issue to execute arbitrary code with the privileged access of RomPager.(CVE-2014-9223)

- A security bypass vulnerability exists due to an error within the HTTP cookie management mechanism (aka, the 'Misfortune Cookie' issue) which could allow any user to determine the 'fortune' of a request by manipulating cookies. An attacker can exploit this issue to corrupt memory and alter the application state by sending specially crafted HTTP cookies. This could be exploited to gain the administrative privileges for the current session by tricking the attacked device. (CVE-2014-9222)

Note: The 'Misfortune Cookie' vulnerability only applies if the cookie feature has been enabled on the RomPager server. Furthermore, some sources indicate that these vulnerabilities can be patched while not affecting or increasing the self-reported RomPager version in the banner.

Solution

Contact the vendor for an updated firmware image. Allegro addressed both issues in mid-2005 with RomPager version 4.34.

See Also

http://mis.fortunecook.ie/

http://www.nessus.org/u?e6bf690f

http://www.nessus.org/u?22cba06d

http://www.kb.cert.org/vuls/id/561444

Plugin Details

Severity: Critical

ID: 8614

Family: Web Servers

Published: 2015/02/20

Modified: 2016/01/19

Dependencies: 1442

Nessus ID: 80228

Risk Information

Risk Factor: Critical

CVSSv2

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:allegrosoft:rompager

Patch Publication Date: 2005/12/30

Vulnerability Publication Date: 2014/12/19

Exploitable With

CANVAS (CANVAS)

Metasploit (Allegro Software RomPager 'Misfortune Cookie' Scanner)

Reference Information

CVE: CVE-2014-9222, CVE-2014-9223

BID: 71756, 71744