Head blueLogoText.gif NCF HelpWiki
Help | StartPage

Difference between revisions of "Misfortune Cookie Vulnerability"

From Support
Jump to: navigation, search
Line 48: Line 48:
# A lot of your questions can be answered on [http://www.tp-link.com/en/support/faq/?pcid=203&problem=&m=TD-W8951ND&keywords=&faqid= TP-Links FAQs]
# A lot of your questions can be answered on [http://www.tp-link.com/en/support/faq/?pcid=203&problem=&m=TD-W8951ND&keywords=&faqid= TP-Links FAQs], feel free to browse
# Any WAN vulnerability is blocked from the Internet by disabling WAN access by ACL (Access Control Level):
# Any WAN vulnerability is blocked from the Internet by disabling WAN access by ACL (Access Control Level):
## Log into ''''''
## Log into ''''''

Revision as of 18:00, 31 December 2014

A TP-Link TD-W8951ND modem

This article is about the so-called Misfortune Cookie vulnerabilities discovered on modem firmware in 2014, what it is and what to do about it.


Each modem/router sold by NCF has a built-in web server to allow the modem to be configured by any computer via any browser.

In December 2014 Carnegie Mellon University CERT, based on findings by researchers from Check Point’s Malware and Vulnerability Research Group announced that some DSL modems/routers have a vulnerability that have existed in the firmware since 2002. This security problem has been detected in the firmware that uses vulnerable versions of Allegro RomPager in the web server portion of the firmware employed by many modems/routers, including some of those sold by NCF.


The security vulnerability can be fixed in recent modems/routers by upgrading the firmware, replacing the web server with a newer version that does not have the security vulnerability.

Older modems do not have a firmware upgrade available, so it is important to make full use of the available security to prevent outsiders from using the web server to re-configure the modem in some undesirable way.

It is possible to access the web server in two different ways:

  1. Connect to the web server from the outside, via the DSL line (WAN side). This route is closed if you are using a modem/router that has been configured by NCF - see Note 2 below
  2. Connect to the web server from the inside (LAN side), either via your Wi-Fi network or via an Ethernet cable. We assume that you are not going to let untrusted person/s connect to your LAN via Ethernet, so in the same manner you also need to prevent them from connecting to it wirelessly. It is therefore very important that you have good security on your Wi-Fi network, with a good password. If the modem/router has been configured by NCF, it will have a good password (by default, NCF uses your NCF DSL password also for log-in and Wi-Fi).

As a general rule, if your modem/router has been configured by NCF, and you are sure that unknown persons cannot use your Wi-Fi network, you have pretty good security against the "Misfortune Cookie" vulnerability.


NCF has looked into this vulnerability and strongly recommends that you perform the following steps:

As long as you have the following hardware versions and the latest corresponding firmware versions installed, then your modem/router is not affected by the Misfortune Cookie.

  • TD-W8951ND:
    • hardware v5; firmware TD-W8951ND_V5_141114
    • hardware v6; firmware TD-W8951ND_V6_141027
  • TD-8816: hardware v8; firmware TD-8816_V8_140311

The firmware (FW) version can be identified and upgraded by executing the following steps:

  • Ensure that you have your NCF credentials on-hand before performing the upgrade
  • Connect your desktop or laptop to the modem/router via Ethernet cable - this should NOT be done via Wi-Fi!
  • Launch a browser and type in the URL (see this TP-Link article)
  • Username: admin, Password: NCF_DSL_PW (by default, NCF uses the NCF_DSL_PW also for log-in and Wi-Fi Pre-Shared Key)
  • Click on the Maintenance tab
  • Click on the Firmware tab and verify that your FW version is as indicated above. If not, follow the TP-Link upgrade instructions.


  1. A lot of your questions can be answered on TP-Links FAQs, feel free to browse
  2. Any WAN vulnerability is blocked from the Internet by disabling WAN access by ACL (Access Control Level):
    1. Log into
    2. Enter admin & DSL password
    3. Click on Access Management tab
    4. Verify that ACL: Activated is selected
    5. Verify that Interface: LAN is selected.
  3. NCF started verifying this on all modems since July/August 2014. NCF also checked that Remote Management port is disabled. See this TP-Link article for further step-by-step instructions.
  4. Any LAN vulnerability is blocked from the LAN by using a strong Wi-Fi password (NCF applies the DSL password here). If your Wi-Fi is open (no password is required to connect, like in many public places), then your modem is open to attack. We strongly advise that you implement Authentication Type: WPA-PSK/WPA2-PSK with Encryption: TKIP/AES to secure your Wi-Fi network with the highest available settings

External links