Multiple buffer overflows in AllegroSoft RomPager, as used in Huawei Home Gateway products and other vendors and products, allow remote attackers to cause a denial of service or possibly execute arbitrary code via unspecified vectors related to authorization.

The remote host is running RomPager, an embedded web server most often used to provide web administration capabilities for networked printers, network switches, and other devices.

Versions of RomPager 4.07 and prior to 4.34 are potentially affected by multiple issues : 

  - A buffer overflow vulnerability exists because the RomPager web server fails to perform adequate bounds checks on user-supplied input. Attackers can exploit this issue to execute arbitrary code with the privileged access of RomPager.(CVE-2014-9223)

  - A security bypass vulnerability exists due to an error within the HTTP cookie management mechanism (aka, the 'Misfortune Cookie' issue) which could allow any user to determine the 'fortune' of a request by manipulating cookies. An attacker can exploit this issue to corrupt memory and alter the application state by sending specially crafted HTTP cookies. This could be exploited to gain the administrative privileges for the current session by tricking the attacked device. (CVE-2014-9222)

Note: The 'Misfortune Cookie' vulnerability only applies if the cookie feature has been enabled on the RomPager server. Furthermore, some sources indicate that these vulnerabilities can be patched while not affecting or increasing the self-reported RomPager version in the banner.

Nessus was able to overwrite the request path by sending a specially crafted cookie to the remote web server. It is, therefore, affected by multiple vulnerabilities :

  - A flaw in HTTP cookie management in the embedded web     server allows a remote attacker to execute arbitrary     code with administrative privileges and to possibly     conduct attacks against connected devices.
    (CVE-2014-9222)

  - A digest authentication buffer overflow flaw exists that     allows a remote attacker to cause a denial of service or     to execute arbitrary code. (CVE-2014-9223)

According to its banner, the remote host is running a version of Allegro Software RomPager 4.07 to 4.33. It is, therefore, affected by multiple vulnerabilities :

  - A flaw in HTTP cookie management in the embedded web     server allows a remote attacker to execute arbitrary     code with administrative privileges and to possibly     conduct attacks against connected devices.
    (CVE-2014-9222)

  - A digest authentication buffer overflow flaw exists that     allows a remote attacker to cause a denial of service or     to execute arbitrary code. (CVE-2014-9223)

ID	Name	Product	Family	Severity
8614	Allegro RomPager 4.07 < 4.34 Multiple Vulnerabilities (Misfortune Cookie)	Nessus Network Monitor	Web Servers	critical
80304	Allegro RomPager HTTP Cookie Management Remote Code Execution Vulnerability (Misfortune Cookie)	Nessus	Web Servers	critical
80228	Allegro RomPager HTTP Cookie Management Remote Code Execution Vulnerability (Misfortune Cookie)	Nessus	Web Servers	critical

Detections

Analytics

CVE-2014-9223

critical

Tenable Plugins

critical

critical

critical