Security Vulnerability (MX64W) regarding lighttpd v1.4.39 (CVE-2016-1000212)

SOLVED
Jimmytwo
Just browsing

Security Vulnerability (MX64W) regarding lighttpd v1.4.39 (CVE-2016-1000212)

Hello,

 

I recently ran a penetration test on our MX64W as part of PCI-Compliance and was notified of 1 vulnerability (CVE-2016-1000212).
The vulnerability is regarding lighttpd and is applicable to all versions <= 1.4.40. I have confirmed from HTTP response header "Server: lighttpd/1.4.39" on the meraki status page. This vulnerability is well documented here: httpoxy.org

 

First, I have blocked all access to the meraki status page from any external IP addresses, which should essentially mitigate this issue (unless a hacker is onsite, in which case I probably have much bigger problems).

I am in no way a security expert, and since this issue has been known for over a year (not to mention I can't find anyone else talking about it), I'm led to believe it must be a non-issue.

Can someone please confirm/ deny whether this is still a current vulnerability, or reassure me that there is nothing to worry about.
Any knowledge on the matter is greatly appreciated.
Thanks

1 ACCEPTED SOLUTION

Support looked into this and it does not appear to be a concern. The vulnerability is not with lighttpd itself but the ability
to pass a header to dynamic server sides scripts. From their internal checking this isn't a concern with the way it is configured
on the MX.

View solution in original post

5 REPLIES 5
ohv_
Conversationalist

Being the page doesn't do any cgi or proxy I dont see any issues.

BHC_RESORTS
Head in the Cloud


@ohv_ wrote:

Being the page doesn't do any cgi or proxy I dont see any issues.


Back-end uses CGI.

BHC Resorts IT Department

Support looked into this and it does not appear to be a concern. The vulnerability is not with lighttpd itself but the ability
to pass a header to dynamic server sides scripts. From their internal checking this isn't a concern with the way it is configured
on the MX.

Thank you everyone for the clarification.
BHC_RESORTS
Head in the Cloud

What firmware version are you running? Meraki is pretty on top of it patching CVE's. I'd guess you have an older version of FW.

 

Edit: For what it's worth, on my MX84 running the latest Beta (14.17), the status page responds with lighttpd/1.4.39.

BHC Resorts IT Department
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels