topic Re: CSCvf36258 - Cisco IOS and IOS XE Software HTTP Client Information Disclosure Vulnerability in Cisco Bug Discussions

CSCvf36258 - Cisco IOS and IOS XE Software HTTP Client Information Disclosure Vulnerability

Christian Jorge — Wed, 27 Nov 2019 18:18:29 GMT

Good morning

Advisory says: "A vulnerability in the HTTP client feature of Cisco IOS and IOS XE Software" and " there's no workaround"

Please, how can I check in device (IOS or IOS-XE) if this " HTTP client feature" is active or used?

Is it the same as " ip http server" in show run ?

Regards

christian

Re: CSCvf36258 - Cisco IOS and IOS XE Software HTTP Client Information Disclosure Vulnerability

Leo Laohoo — Sun, 01 Dec 2019 08:43:38 GMT

Read Cisco IOS and IOS XE Software HTTP Client Information Disclosure Vulnerability and scroll down to the bottom of the page where one can check if the IOS/IOS-XE is affected by this bug (or not).

Re: CSCvf36258 - Cisco IOS and IOS XE Software HTTP Client Information Disclosure Vulnerability

Christian Jorge — Thu, 16 Jan 2020 19:27:57 GMT

Sorry, but the question is not how to verify whether a software version is potentially vulnerable or not.
Of course, you can confirm it by IOS Checker and I think it's kind a first step to confirm your device is affected.

The question is how to verify in configuration whether my device is vulnerable or not.

Sometimes Cisco informs it in its Advisory.

This case, only having http server, or similar, enable on a device with affected IOS is enough?
Is there any other piece of configuration to be checked?

Re: CSCvf36258 - Cisco IOS and IOS XE Software HTTP Client Information Disclosure Vulnerability

RoyalEF3153 — Fri, 29 May 2020 13:45:01 GMT

I have the same exact question.

We don't enable http or https on any of our switches.

IT would be my assumption that this can not affect our configuration? Because otherwise we have to update 95% of the switches in the company.

Re: CSCvf36258 - Cisco IOS and IOS XE Software HTTP Client Information Disclosure Vulnerability

routers_and_switches_oh_my — Wed, 29 Jul 2020 16:24:52 GMT

I have the same issue, a customer is stating they are not vulnerable due to "no ip http server" but imo that is not good enough & they should have to either prove that http client is disabled OR upgrade.

1. Is it possible to disable http client? (haven't seen anything about it online & I don't have a testing environment and I don't want to waste the customer's time asking them to do something impossible)

a. If that is the case, then shouldn't the Advisory state a workaround is available?

2. Is "no ip http server" enough to effectively render devices invulnerable to this advisory?

Re: CSCvf36258 - Cisco IOS and IOS XE Software HTTP Client Information Disclosure Vulnerability

RoyalEF3153 — Wed, 29 Jul 2020 19:59:43 GMT

I've found advisory notices to be contradictory.

Cisco will list one OS version affected and 70 versions patched. ?WT?I think a "WORKAROUND" is a trick to avoid the bug WHILE STILL USING THAT FEATURE.

For instance security advisories about corrupted BGP updates from routing partners does not list "Do not use BGP" as a workaround. But obviously it is. If your not using it, then updates aren't being accepted or acted on. But it will not be listed as a workround.

I did open a TAC case and they confirmed that deactivating the servers would eliminate the concern.

The title says it is HTTP, but I don't recall if HTTPS is affected. If so, both servers would need to be disabled. We don't run either server so it was a non-issue for us.

no http server

no https server

Re: CSCvf36258 - Cisco IOS and IOS XE Software HTTP Client Information Disclosure Vulnerability

MartinKajan — Tue, 23 Feb 2021 11:44:35 GMT

With regard to the information in the advisory, I'd stand firm with disabling only the HTTP server, not the HTTPS.