Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
5
Helpful
5
Replies

Lighttpd multiple high severity vulnerabilities - Cisco C20, C40

desmondallen1
Level 1
Level 1

‎10-07-2015 10:46 AM - edited ‎03-18-2019 05:04 AM

A number of our codecs have been identified as having vulnerabilities due to lighttpd. They are models C20 and C40. I've researched fixes or workarounds but have so far been unsuccessful in finding any information on it. Any suggestions?

Labels:
0 Helpful
5 Replies 5

Patrick Sparkman
VIP Alumni
VIP Alumni

‎10-07-2015 11:06 AM

What is the software versions of the codecs?

What is the exact vulnerability that is being flagged?

Keep an eye out here: Security Advisories and Responses, if Cisco releases any updated software to patch vulnerabilities, it will be posted there.  You also might find some solutions in the Bug Search Tool.

0 Helpful

desmondallen1
Level 1
Level 1
In response to Patrick Sparkman

‎10-07-2015 11:46 AM

They haven't all been upgraded to the current version. The codecs flagged are running 7.2.0, 7.3.2 or 7.3.3

Here is the portion of the message from our security team explaining the vulnerability:

"The installed version of Lighttpd contains multiple high severity vulnerabilities, including authorization bypass and information disclosure.

An attacker may be able to bypass authentication and gain unauthorized access to system resources."

0 Helpful

Patrick Sparkman
VIP Alumni
VIP Alumni
In response to desmondallen1

‎10-07-2015 11:51 AM

If it's a recent vulnerability, it could be that Cisco hasn't had time to release a software fix for it.  The only Lighttpd vulnerability I found was fixed in TC6 software (see Acevirgil's reply below).  Suggest you open a TAC case and let them know, they might be able to tell you when or if a fix is pending.

0 Helpful

Magnus Ohm
Cisco Employee
Cisco Employee
In response to desmondallen1

‎10-08-2015 01:39 AM

We are not using lighttpd anymore, the codecs are using the nginx webserver since TC7.2.x. I suspect this is a false positive. The lighttpd package should not even be there. 

/Magnus

Acevirgil de Ocampo
Level 7
Level 7

‎10-07-2015 11:13 AM

What's the firmware version of your codecs?  There's a known bug CSCue52815 on C-series codecs running TC6.0.

https://tools.cisco.com/bugsearch/bug/CSCue52815 

Upgrading the firmware to latest version would resolve your issue.

Take a look at these discussion and see Magnus Ohm's answer in which issue have been resolved.

https://supportforums.cisco.com/discussion/11887331/lighttpd-issue-after-tc6-upgrade

 

regards,

Acevirgil

0 Helpful
Customers Also Viewed These Support Documents