lighttpd 1.4.39 vulnerabilities

[Sparrow]

Hi, I've run a simple online vulnerabilty test from https://pentest-tools.com/network-vulnerability-scanning/network-security-scanner-online-openvas against a latest Merlin beta build (RT-AX68U).

It reports two found vulnerabilities in 1.4.39 version of lighttpd.

CVE-2019-11072 and
CVE-2018-19052

The flaws are patched in lighttpd 1.4.54+. Is it possible to update it in upcoming Merlin releases?

Looks like it's Asus' implementantion on AiCloud's port 443

 

[saleanddeki]

I did it on AX56U, 386.2 beta1, no risks.

 

[RMerlin]

Is it possible to update it in upcoming Merlin releases?

No, portions of AiCloud are closed source and outside of my control.

Note that you should never blindly rely on such test tools. They generally don't test anything, and just make assumptions based on a reported software version, without being able to tell if a specific server is actually vulnerable or not. Features can be enabled/disabled, fixes can be backported. And in this particular case, 1.4.39 isn't even vulnerable to CVE-2019-11072... And I can tell that the other CVE cannot be exploited in AiCloud either.