In this article, we describe the importance of keeping software (especially networking software) up-to-date.
ROM Pager web server vulnerability
A good illustration of the issue is a story with the ROM Pager web server. Quoting a security report:
RomPager is sold to chipset manufacturers which then bundle it in their SDKs that are used by router vendors when developing the firmware for their products. The vulnerability in ROM Pager has been dubbed Misfortune Cookie and is being tracked as CVE-2014-9222 in the Common Vulnerabilities and Exposures database. It can be exploited by sending a single specifically crafted request to the RomPager server.
The Misfortune Cookie flaw only exists in RomPager versions older than 4.34 and was actually discovered and patched by the vendor itself back in 2005 following internal code reviews. However, many router models, including new ones released this year, still include old RomPager versions in their firmware, especially RomPager 4.07, according to Tal.
The Check Point researchers have identified around 200 router models from various manufacturers, including D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL, that are likely vulnerable. Based on Internet scans, they have detected almost 12 million unique devices in 189 countries that are directly exploitable over the Internet.
The bottom line is:
- A popular web server software vendor had an established best practice of internal code reviews and testing.
- A vulnerability has been found and patched by vendor back in 2005.
- However, many of the customers did not update their software years after vulnerability was found and fixed (reference).
- By using an old, unpatched version of the software, hardware vendors put millions of their customers at a serious security risk.
Cesanta software updates
At Cesanta, we take the responsibility for our software seriously:
- We follow strict disciplines and best practices for the software development.
- We have our continuous integration tests set up.
- We test on many target platforms.
- We constantly do internal code audits.
- We review every single commit that goes into the code base.
- And most important of all, we hire only top-class engineers.
But as with any other software, there is no guarantee that it is bug-free - so I cannot stress enough the importance of keeping your software up-to-date. We recommend all open-source users to stay up-to-date with the latest software release for their respective Cesanta's product.
For our Commercial Licensing customers have the option of a Software Maintenance package subscription and do strongly encourage you to avail of it so that you can stay abreast of important security updates