Hello,
I recently ran a penetration test on our MX64W as part of PCI-Compliance and was notified of 1 vulnerability (CVE-2016-1000212).
The vulnerability is regarding lighttpd and is applicable to all versions <= 1.4.40. I have confirmed from HTTP response header "Server: lighttpd/1.4.39" on the meraki status page. This vulnerability is well documented here: httpoxy.org
First, I have blocked all access to the meraki status page from any external IP addresses, which should essentially mitigate this issue (unless a hacker is onsite, in which case I probably have much bigger problems).
I am in no way a security expert, and since this issue has been known for over a year (not to mention I can't find anyone else talking about it), I'm led to believe it must be a non-issue.
Can someone please confirm/ deny whether this is still a current vulnerability, or reassure me that there is nothing to worry about.
Any knowledge on the matter is greatly appreciated.
Thanks
Solved! Go to solution.
Support looked into this and it does not appear to be a concern. The vulnerability is not with lighttpd itself but the ability
to pass a header to dynamic server sides scripts. From their internal checking this isn't a concern with the way it is configured
on the MX.
Being the page doesn't do any cgi or proxy I dont see any issues.
@ohv_ wrote:Being the page doesn't do any cgi or proxy I dont see any issues.
Back-end uses CGI.
Support looked into this and it does not appear to be a concern. The vulnerability is not with lighttpd itself but the ability
to pass a header to dynamic server sides scripts. From their internal checking this isn't a concern with the way it is configured
on the MX.
What firmware version are you running? Meraki is pretty on top of it patching CVE's. I'd guess you have an older version of FW.
Edit: For what it's worth, on my MX84 running the latest Beta (14.17), the status page responds with lighttpd/1.4.39.