Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2729
Views
40
Helpful
6
Replies

CSCvf36258 - Cisco IOS and IOS XE Software HTTP Client Information Disclosure Vulnerability

Christian Jorge
Level 1
Level 1

‎11-27-2019 10:18 AM

Good morning

 

Advisory says: "A vulnerability in the HTTP client feature of Cisco IOS and IOS XE Software" and " there's no workaround"

Please, how can I check in device (IOS or IOS-XE) if this " HTTP client feature" is active or used?

Is it the same as " ip http server" in show run ?

Regards

 

christian

4 people had this problem
Labels:
6 Replies 6

Leo Laohoo
Hall of Fame
Hall of Fame

‎12-01-2019 12:43 AM

Read Cisco IOS and IOS XE Software HTTP Client Information Disclosure Vulnerability and scroll down to the bottom of the page where one can check if the IOS/IOS-XE is affected by this bug (or not).

Christian Jorge
Level 1
Level 1
In response to Leo Laohoo

‎01-16-2020 11:27 AM

Sorry, but the question is not how to verify whether a software version is potentially vulnerable or not.
Of course, you can confirm it by IOS Checker and I think it's kind a first step to confirm your device is affected.

 

The question is how to verify in configuration whether my device is vulnerable or not.

Sometimes Cisco informs it in its Advisory.

 

This case, only having http server, or similar, enable on a device with affected IOS is enough?
Is there any other piece of configuration to be checked?

RoyalEF3153
Level 1
Level 1
In response to Christian Jorge

‎05-29-2020 06:45 AM

I have the same exact question. 

 

We don't enable http or https on any of our switches.

 

IT would be my assumption that this can not affect our configuration?  Because otherwise we have to update 95% of the switches in the company.

routers_and_switches_oh_my
Level 1
Level 1
In response to RoyalEF3153

‎07-29-2020 09:24 AM

I have the same issue, a customer is stating they are not vulnerable due to "no ip http server" but imo that is not good enough & they should have to either prove that http client is disabled OR upgrade. 

 

1. Is it possible to disable http client? (haven't seen anything about it online & I don't have a testing environment and I don't want to waste the customer's time asking them to do something impossible)

    a. If that is the case, then shouldn't the Advisory state a workaround is available? 

2. Is "no ip http server" enough to effectively render devices invulnerable to this advisory? 

0 Helpful

RoyalEF3153
Level 1
Level 1
In response to routers_and_switches_oh_my

‎07-29-2020 12:59 PM

I've found advisory notices to be contradictory.

Cisco will list one OS version affected and 70 versions patched. ?WT?I think a "WORKAROUND" is a trick to avoid the bug WHILE STILL USING THAT FEATURE.

 

For instance security advisories about corrupted BGP updates from routing partners does not list "Do not use BGP" as a workaround.  But obviously it is. If your not using it, then updates aren't being accepted or acted on. But it will not be listed as a workround.

 

I did open a TAC case and they confirmed that deactivating the servers would eliminate the concern.

 

The title says it is HTTP, but I don't recall if HTTPS is affected.  If so, both servers would need to be disabled. We don't run either server so it was a non-issue for us.

 

no http server

no https server

 

0 Helpful

MartinKajan
Level 1
Level 1
In response to RoyalEF3153

‎02-23-2021 03:44 AM

With regard to the information in the advisory, I'd stand firm with disabling only the HTTP server, not the HTTPS.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents