DEFCON22 had a number of revelations concerning web server security of systems meant to deploy TR-069 in a subscriber network. Most of the investigation done surrounded vulnerable ACS - that is, malicious attackers gaining access to the auto-configuration server, allowing them to control many hundreds of thousands of home devices.
Recently, the same investigators set their sights on the broadband CPE themselves, and discovered some interesting vulnerabilities, including one dubbed the “Misfortune Cookie”. This vulnerability takes advantage of the way an certain older web service that is common on gateways or embedded devices handles cookies, allowing an attacker to gain complete access to the CPE.
CPE are only susceptible to this vulnerability if they contain the old code (which has been patched) and are listening on open ports such as 80, 8080, 443, and the port reserved for TR-069 connection requests, 7547. This is not a vulnerability in TR-069 itself of course, just a consequence of its prevalence that CPE would leave this port open in anticipation of an ACS making an connection request on the device.
While there are ways around this (including using XMPP for CPE connection requests, rather than HTTP, as specified in TR-069), the best way is to ensure that CPE that are listening for HTTP connection requests are configured to only accept such requests from the ACS it is configured to use. Not only is this generally a good practice, but also ensures that other malicious attacks cannot target the connection request port.
As always, CDRouter contains test cases for validating the firewall and access list functions of your devices. In addition, the CDRouter Nmap test modules let you perform rigorous network scanning of your device to be aware of exposure and to help lock down potential vulnerabilities.