Ars breaks Misfortune Cookie vulnerability news to public

While the flaw is 12 years old and the fix 9, the article suggests that
firmware for consumer routers may yet be being built with the vulnerable
webserver code baked in.

If you are responsible for lots of eyeballs you might want to look at this.

Have a nice Christmas weekend. :slight_smile:

-- jra

Glad I'm using a freebsd based routing solution.

Here’s the thing I don’t get… You have X provider supplying routers with vulnerable firmware that have remote support (TR-069) enabled.
Why would Check Point not at least name and shame, instead of trying to market their security? I know the hack is old, but grandma isn’t probably up to date on the latest firmware that should have been upgrade through TR-069. I’m honestly more upset with the reporting than the normal residential cpe didn’t get upgraded.

But yeah, Happy Holidays everyone...


Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300
F: 610-429-3222

19:25 <@andrewTO> has a list of potentially vulnerable devices
19:25 <@math> andrewTO@opensrs++


* (Javier J) [Sat 20 Dec 2014, 00:50 CET]:

Glad I'm using a freebsd based routing solution.

Time to update that one too:

  -- Niels.

On what basis do you assume that there is TR-069 support in these routers? And even if there is, that the service provider manages them via TR-069?


Haha, yeah I spoke too soon.

Happy Holidays.

Also has anyone looked at the list of devices / vendors that are using that

Did the vendors know their vendor was giving them buggy software?

What is the test for this vuln?