11-27-2019 10:18 AM
Good morning
Advisory says: "A vulnerability in the HTTP client feature of Cisco IOS and IOS XE Software" and " there's no workaround"
Please, how can I check in device (IOS or IOS-XE) if this " HTTP client feature" is active or used?
Is it the same as " ip http server" in show run ?
Regards
christian
12-01-2019 12:43 AM
Read Cisco IOS and IOS XE Software HTTP Client Information Disclosure Vulnerability and scroll down to the bottom of the page where one can check if the IOS/IOS-XE is affected by this bug (or not).
01-16-2020 11:27 AM
Sorry, but the question is not how to verify whether a software version is potentially vulnerable or not.
Of course, you can confirm it by IOS Checker and I think it's kind a first step to confirm your device is affected.
The question is how to verify in configuration whether my device is vulnerable or not.
Sometimes Cisco informs it in its Advisory.
This case, only having http server, or similar, enable on a device with affected IOS is enough?
Is there any other piece of configuration to be checked?
05-29-2020 06:45 AM
I have the same exact question.
We don't enable http or https on any of our switches.
IT would be my assumption that this can not affect our configuration? Because otherwise we have to update 95% of the switches in the company.
07-29-2020 09:24 AM
I have the same issue, a customer is stating they are not vulnerable due to "no ip http server" but imo that is not good enough & they should have to either prove that http client is disabled OR upgrade.
1. Is it possible to disable http client? (haven't seen anything about it online & I don't have a testing environment and I don't want to waste the customer's time asking them to do something impossible)
a. If that is the case, then shouldn't the Advisory state a workaround is available?
2. Is "no ip http server" enough to effectively render devices invulnerable to this advisory?
07-29-2020 12:59 PM
I've found advisory notices to be contradictory.
Cisco will list one OS version affected and 70 versions patched. ?WT?I think a "WORKAROUND" is a trick to avoid the bug WHILE STILL USING THAT FEATURE.
For instance security advisories about corrupted BGP updates from routing partners does not list "Do not use BGP" as a workaround. But obviously it is. If your not using it, then updates aren't being accepted or acted on. But it will not be listed as a workround.
I did open a TAC case and they confirmed that deactivating the servers would eliminate the concern.
The title says it is HTTP, but I don't recall if HTTPS is affected. If so, both servers would need to be disabled. We don't run either server so it was a non-issue for us.
no http server
no https server
02-23-2021 03:44 AM
With regard to the information in the advisory, I'd stand firm with disabling only the HTTP server, not the HTTPS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide