“Misfortune Cookie” – Allegro Software Urges Manufacturers To Maintain Device Security
Security and Connectivity for the IoT Edge
Allegro Software Urges Manufacturers
To Maintain Firmware for Highest Level of Embedded Device Security
CVE-2014-9222 and CVE-2014-9223 security concerns addressed almost a decade ago
BOXBOROUGH, MA December 19, 2014 – Allegro Software, a leading supplier of Internet component software for embedded devices, urges manufacturers of network enabled embedded products to maintain the latest release of component software in their products. Since standards based protocols continue to evolve and new networking security concerns continue to be uncovered and addressed, using the latest version of Allegro’s software components is the way that manufacturers can be assured that their products include robust security and the highest levels of compatibility with standards.
An example is the case of the CVE-2014-9222 and CVE-2014-9223 vulnerabilities (also known as Misfortune Cookie). These vulnerabilities were discovered in the RomPager embedded web server version 4.07, which was released in 2002. Allegro had previously identified, fixed, and released updated software components that addressed these vulnerabilities. RomPager version 4.34, which resolved these vulnerabilities, was provided to Allegro Software customers in 2005. Allegro has continued to provide updates and enhancements to the RomPager software, and the latest available version is 5.40.
Unfortunately, not all manufacturers using Allegro Software products have updated their devices with the latest RomPager software component. In some cases, manufacturers continue to make and sell products with software components that are over 13 years old, which can expose products to security concerns. Allegro Software is a software component supplier to product manufacturers. Allegro Software does not have the ability to upgrade or patch our customer’s manufactured products. If you have a product that is affected by the above security concerns, please contact the product manufacturer to obtain a firmware update.
“MISFORTUNE COOKIE” VULNERABILITY IN VERSION 4.07 – CVE-2014-9222
In early 2002, Allegro Software released the RomPager (v4.07) embedded web server which added support for browser cookies. After the v4.07 release, Allegro identified and fixed a security issue related to the implementation of cookies with the RomPager (v4.34) release in mid 2005. Since 2005, all new and existing customers under Allegro’s software maintenance program have been provided the latest software so that they can update their products and resolve this security concern.
DIGEST BUFFER OVERFLOW VULNERABILITY IN VERSION 4.07 – CVE-2014-9223
RomPager Version 4.07 also included a Digest Authentication buffer overflow vulnerability. This security issue was also identified and addressed in the RomPager 4.34 software release.
Since version 4.34, Allegro Software has continued to invest in embedded device security with ongoing development of our existing products and creation of new products aimed at secure Internet connectivity. These investments have included the creation of the Allegro Cryptography Engine (ACE), which has received FIPS 140-2 validation (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2013.htm#2048). Allegro’s suite of Advanced Edition toolkits with IPv4/IPv6 capabilities have been fully integrated with ACE and is targeted at next-generation embedded systems connectivity with advanced security requirements. “For over 18 years, Allegro has focused on delivering highly reliable software components for embedded systems found in consumer electronics, medical devices, industrial-control applications, military applications and more.” says Bob Van Andel, President of Allegro. “We take embedded device security seriously and want our customer partners to do the same. We strongly urge manufacturers to maintain their firmware with the latest software components to deliver the highest level of Internet communications compatibility and embedded device security to the end customer.”
Allegro Software Development Corporation is a premier provider of embedded Internet software components with an emphasis on industry-leading device management, embedded device security, UPnP-DLNA networking, and the Internet of Things. Since 1996, Allegro has been on the forefront of leading the evolution of secure device management solutions with its RomPager embedded web server and security toolkits. Also an active contributor to UPnP and DLNA initiatives, Allegro supplies a range of UPnP and DLNA toolkits that offer portability, easy integration, and full compliance with UPnP and DLNA specifications. Allegro is headquartered in Boxborough, MA.
Allegro Software Development Corporation