cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
565
Views
5
Helpful
5
Replies

Lighttpd multiple high severity vulnerabilities - Cisco C20, C40

desmondallen1
Level 1
Level 1

A number of our codecs have been identified as having vulnerabilities due to lighttpd. They are models C20 and C40. I've researched fixes or workarounds but have so far been unsuccessful in finding any information on it. Any suggestions?

5 Replies 5

Patrick Sparkman
VIP Alumni
VIP Alumni

What is the software versions of the codecs?

What is the exact vulnerability that is being flagged?

Keep an eye out here: Security Advisories and Responses, if Cisco releases any updated software to patch vulnerabilities, it will be posted there.  You also might find some solutions in the Bug Search Tool.

They haven't all been upgraded to the current version. The codecs flagged are running 7.2.0, 7.3.2 or 7.3.3

Here is the portion of the message from our security team explaining the vulnerability:

"The installed version of Lighttpd contains multiple high severity vulnerabilities, including authorization bypass and information disclosure.

An attacker may be able to bypass authentication and gain unauthorized access to system resources."

If it's a recent vulnerability, it could be that Cisco hasn't had time to release a software fix for it.  The only Lighttpd vulnerability I found was fixed in TC6 software (see Acevirgil's reply below).  Suggest you open a TAC case and let them know, they might be able to tell you when or if a fix is pending.

We are not using lighttpd anymore, the codecs are using the nginx webserver since TC7.2.x. I suspect this is a false positive. The lighttpd package should not even be there. 

/Magnus

What's the firmware version of your codecs?  There's a known bug CSCue52815 on C-series codecs running TC6.0.

https://tools.cisco.com/bugsearch/bug/CSCue52815 

Upgrading the firmware to latest version would resolve your issue.

Take a look at these discussion and see Magnus Ohm's answer in which issue have been resolved.

https://supportforums.cisco.com/discussion/11887331/lighttpd-issue-after-tc6-upgrade

 

regards,

Acevirgil