A vulnerability in the local status page functionality of the Cisco Meraki MR, MS, MX, Z1, and Z3 product lines could allow an authenticated, remote attacker to modify device configuration files. The vulnerability occurs when handling requests to the local status page. An exploit could allow the attacker to establish an interactive session to the device with elevated privileges. The attacker could then use the elevated privileges to further compromise the device or obtain additional configuration data from the device that is being exploited. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki
A vulnerability in the local status page functionality of the Cisco Meraki MR, MS, MX, Z1, and Z3 product lines could allow an authenticated, remote attacker to modify device configuration files.
The vulnerability occurs when handling requests to the local status page. An exploit could allow the attacker to establish an interactive session to the device with elevated privileges. The attacker could then use the elevated privileges to further compromise the device or obtain additional configuration data from the device that is being exploited.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki
All Cisco Meraki products in the following list are affected by this vulnerability when the local status page feature is enabled and the device is running a software release prior to a fixed release listed in the Fixed Software section of this advisory:
Note: The local status page feature is enabled by default on all Cisco Meraki software releases for the products in the preceding list.
Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect any Cisco wireless products except the Cisco Meraki products listed in the Vulnerable Products section.
Cisco has confirmed that this vulnerability does not affect the following Cisco Meraki products:
Although there are no workarounds that will allow customers to continue using the local status page and eliminate the attack vector for this vulnerability, disabling the local status page would eliminate the attack vector and prevent the vulnerability from being exploited. Customers are advised to consider their own environment needs to determine whether disabling the local status page is a feasible mitigation for preventing exploitation of unpatched devices.
Customers with access to the Meraki Dashboard can use the following instructions to disable the local status page: Disabling the Local Status Page.
Note: Disabling the local status page can result in limited functionality in some scenarios. Consult the preceding link for information about the possible negative impact of disabling the local status page.
Cisco Meraki has released software updates that address the vulnerability described in this advisory. Cisco Meraki provides software updates for all devices with a valid and active license, and there is no other requirement to receive such updates, as described in our End Customer Agreement. Devices without a valid, active license will not receive any software upgrades. If you require a new license, please contact your sales team or representative. The contact information is in the Meraki Dashboard under Help > Get Help.
The policy and procedure for devices that have reached the end-of-support milestone are detailed on the Support Policies page.
Product | Fixed Release |
---|---|
Meraki MR |
MR 24 firmware - 24.13 or later |
MR 25 firmware - 25.11 or later |
|
Meraki MS |
MS 9 firmware - 9.37 or later |
MS 10 firmware - 10.20 or later |
|
Meraki MX and Meraki Z1/Z3 | MX 13 firmware - 13.32 or later |
MX 14 firmware - 14.25 or later | |
MX 15 firmware - 15.7 or later |
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
This vulnerability was found by an external researcher and reported to Cisco Meraki through the Cisco Meraki Security Vulnerability Rewards Program.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
The Cisco Meraki Security Vulnerability Rewards Program page describes this program and how to participate.
Version | Description | Section | Status | Date |
---|---|---|---|---|
1.0 | Initial public release. | - | Final | 2018-November-07 |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.