cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Security Vulnerability (MX64W) regarding lighttpd v1.4.39 (CVE-2016-1000212)

SOLVED
Just browsing

Security Vulnerability (MX64W) regarding lighttpd v1.4.39 (CVE-2016-1000212)

Hello,

 

I recently ran a penetration test on our MX64W as part of PCI-Compliance and was notified of 1 vulnerability (CVE-2016-1000212).
The vulnerability is regarding lighttpd and is applicable to all versions <= 1.4.40. I have confirmed from HTTP response header "Server: lighttpd/1.4.39" on the meraki status page. This vulnerability is well documented here: httpoxy.org

 

First, I have blocked all access to the meraki status page from any external IP addresses, which should essentially mitigate this issue (unless a hacker is onsite, in which case I probably have much bigger problems).

I am in no way a security expert, and since this issue has been known for over a year (not to mention I can't find anyone else talking about it), I'm led to believe it must be a non-issue.

Can someone please confirm/ deny whether this is still a current vulnerability, or reassure me that there is nothing to worry about.
Any knowledge on the matter is greatly appreciated.
Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Meraki Employee

Re: Security Vulnerability (MX64W) regarding lighttpd v1.4.39 (CVE-2016-1000212)

Support looked into this and it does not appear to be a concern. The vulnerability is not with lighttpd itself but the ability
to pass a header to dynamic server sides scripts. From their internal checking this isn't a concern with the way it is configured
on the MX.

5 REPLIES 5
Highlighted
Conversationalist

Re: Security Vulnerability (MX64W) regarding lighttpd v1.4.39 (CVE-2016-1000212)

Being the page doesn't do any cgi or proxy I dont see any issues.

Building a reputation

Re: Security Vulnerability (MX64W) regarding lighttpd v1.4.39 (CVE-2016-1000212)


@ohv_ wrote:

Being the page doesn't do any cgi or proxy I dont see any issues.


Back-end uses CGI.

BHC Resorts IT Department
Meraki Employee

Re: Security Vulnerability (MX64W) regarding lighttpd v1.4.39 (CVE-2016-1000212)

Support looked into this and it does not appear to be a concern. The vulnerability is not with lighttpd itself but the ability
to pass a header to dynamic server sides scripts. From their internal checking this isn't a concern with the way it is configured
on the MX.

Just browsing

Re: Security Vulnerability (MX64W) regarding lighttpd v1.4.39 (CVE-2016-1000212)

Thank you everyone for the clarification.
Building a reputation

Re: Security Vulnerability (MX64W) regarding lighttpd v1.4.39 (CVE-2016-1000212)

What firmware version are you running? Meraki is pretty on top of it patching CVE's. I'd guess you have an older version of FW.

 

Edit: For what it's worth, on my MX84 running the latest Beta (14.17), the status page responds with lighttpd/1.4.39.

BHC Resorts IT Department
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.