Security Vulnerability (MX64W) regarding lighttpd v1.4.39 (CVE-2016-1000212)

Solved
Jimmytwo
Just browsing

Security Vulnerability (MX64W) regarding lighttpd v1.4.39 (CVE-2016-1000212)

Hello,

 

I recently ran a penetration test on our MX64W as part of PCI-Compliance and was notified of 1 vulnerability (CVE-2016-1000212).
The vulnerability is regarding lighttpd and is applicable to all versions <= 1.4.40. I have confirmed from HTTP response header "Server: lighttpd/1.4.39" on the meraki status page. This vulnerability is well documented here: httpoxy.org

 

First, I have blocked all access to the meraki status page from any external IP addresses, which should essentially mitigate this issue (unless a hacker is onsite, in which case I probably have much bigger problems).

I am in no way a security expert, and since this issue has been known for over a year (not to mention I can't find anyone else talking about it), I'm led to believe it must be a non-issue.

Can someone please confirm/ deny whether this is still a current vulnerability, or reassure me that there is nothing to worry about.
Any knowledge on the matter is greatly appreciated.
Thanks

1 Accepted Solution
Spectre
Meraki Employee
Meraki Employee

Support looked into this and it does not appear to be a concern. The vulnerability is not with lighttpd itself but the ability
to pass a header to dynamic server sides scripts. From their internal checking this isn't a concern with the way it is configured
on the MX.

View solution in original post

5 Replies 5
ohv_
Conversationalist

Being the page doesn't do any cgi or proxy I dont see any issues.

BHC_RESORTS
Head in the Cloud


@ohv_ wrote:

Being the page doesn't do any cgi or proxy I dont see any issues.


Back-end uses CGI.

BHC Resorts IT Department
Spectre
Meraki Employee
Meraki Employee

Support looked into this and it does not appear to be a concern. The vulnerability is not with lighttpd itself but the ability
to pass a header to dynamic server sides scripts. From their internal checking this isn't a concern with the way it is configured
on the MX.

Jimmytwo
Just browsing

Thank you everyone for the clarification.
BHC_RESORTS
Head in the Cloud

What firmware version are you running? Meraki is pretty on top of it patching CVE's. I'd guess you have an older version of FW.

 

Edit: For what it's worth, on my MX84 running the latest Beta (14.17), the status page responds with lighttpd/1.4.39.

BHC Resorts IT Department
Get notified when there are additional replies to this discussion.