Meraki

Community

Security Vulnerability (MX64W) regarding lighttpd v1.4.39 (CVE-2016-1000212)

Solved
Jimmytwo
Just browsing
‎Dec 5 2017 3:53 PM
‎Dec 5 2017 3:53 PM

Security Vulnerability (MX64W) regarding lighttpd v1.4.39 (CVE-2016-1000212)

Hello,

 

I recently ran a penetration test on our MX64W as part of PCI-Compliance and was notified of 1 vulnerability (CVE-2016-1000212).
The vulnerability is regarding lighttpd and is applicable to all versions <= 1.4.40. I have confirmed from HTTP response header "Server: lighttpd/1.4.39" on the meraki status page. This vulnerability is well documented here: httpoxy.org

 

First, I have blocked all access to the meraki status page from any external IP addresses, which should essentially mitigate this issue (unless a hacker is onsite, in which case I probably have much bigger problems).

I am in no way a security expert, and since this issue has been known for over a year (not to mention I can't find anyone else talking about it), I'm led to believe it must be a non-issue.

Can someone please confirm/ deny whether this is still a current vulnerability, or reassure me that there is nothing to worry about.
Any knowledge on the matter is greatly appreciated.
Thanks

0 Kudos
1 Accepted Solution
In response to BHC_RESORTS
Spectre
Meraki Employee
Meraki Employee
‎Dec 6 2017 1:37 AM
‎Dec 6 2017 1:37 AM

Support looked into this and it does not appear to be a concern. The vulnerability is not with lighttpd itself but the ability
to pass a header to dynamic server sides scripts. From their internal checking this isn't a concern with the way it is configured
on the MX.

View solution in original post

0 Kudos
5 Replies 5
ohv_
Conversationalist
‎Dec 5 2017 4:00 PM
‎Dec 5 2017 4:00 PM

Being the page doesn't do any cgi or proxy I dont see any issues.

0 Kudos
In response to ohv_
BHC_RESORTS
Head in the Cloud
‎Dec 5 2017 5:53 PM
‎Dec 5 2017 5:53 PM

@ohv_ wrote:

Being the page doesn't do any cgi or proxy I dont see any issues.

Back-end uses CGI.

BHC Resorts IT Department
0 Kudos
In response to BHC_RESORTS
Spectre
Meraki Employee
Meraki Employee
‎Dec 6 2017 1:37 AM
‎Dec 6 2017 1:37 AM

Support looked into this and it does not appear to be a concern. The vulnerability is not with lighttpd itself but the ability
to pass a header to dynamic server sides scripts. From their internal checking this isn't a concern with the way it is configured
on the MX.

0 Kudos
In response to Spectre
Jimmytwo
Just browsing
‎Dec 6 2017 1:04 PM
‎Dec 6 2017 1:04 PM

Thank you everyone for the clarification.
0 Kudos
BHC_RESORTS
Head in the Cloud
‎Dec 5 2017 5:34 PM
‎Dec 5 2017 5:34 PM

What firmware version are you running? Meraki is pretty on top of it patching CVE's. I'd guess you have an older version of FW.

 

Edit: For what it's worth, on my MX84 running the latest Beta (14.17), the status page responds with lighttpd/1.4.39.

BHC Resorts IT Department
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.