cisco-sa-20181107-meraki
Vulnerability from csaf_cisco
Published
2018-11-07 16:00
Modified
2018-11-07 16:00
Summary
Cisco Meraki Local Status Page Privilege Escalation Vulnerability

Notes

Summary
A vulnerability in the local status page functionality of the Cisco Meraki MR, MS, MX, Z1, and Z3 product lines could allow an authenticated, remote attacker to modify device configuration files. The vulnerability occurs when handling requests to the local status page. An exploit could allow the attacker to establish an interactive session to the device with elevated privileges. The attacker could then use the elevated privileges to further compromise the device or obtain additional configuration data from the device that is being exploited. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki"]
Vulnerable Products
All Cisco Meraki products in the following list are affected by this vulnerability when the local status page feature is enabled and the device is running a software release prior to a fixed release listed in the Fixed Software ["#fs"] section of this advisory: MR devices MS devices MX devices (includes physical devices and the vMX100 virtual appliance) Z1 and Z3 devices Note: The local status page feature is enabled by default on all Cisco Meraki software releases for the products in the preceding list.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products ["#vp"] section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect any Cisco wireless products except the Cisco Meraki products listed in the Vulnerable Products ["#vp"] section. Cisco has confirmed that this vulnerability does not affect the following Cisco Meraki products: Cisco Meraki Insight (MI) Cisco Meraki MC family of VoIP phones Cisco Meraki MV family of security cameras Cisco Meraki Systems Manager (SM)
Workarounds
Although there are no workarounds that will allow customers to continue using the local status page and eliminate the attack vector for this vulnerability, disabling the local status page would eliminate the attack vector and prevent the vulnerability from being exploited. Customers are advised to consider their own environment needs to determine whether disabling the local status page is a feasible mitigation for preventing exploitation of unpatched devices. Customers with access to the Meraki Dashboard can use the following instructions to disable the local status page: Disabling the Local Status Page ["https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Meraki_Device_Local_Status_Page#Disabling_the_Local_Status_Page"]. Note: Disabling the local status page can result in limited functionality in some scenarios. Consult the preceding link for information about the possible negative impact of disabling the local status page.
Fixed Software
Cisco Meraki has released software updates that address the vulnerability described in this advisory. Cisco Meraki provides software updates for all devices with a valid and active license, and there is no other requirement to receive such updates, as described in our End Customer Agreement. Devices without a valid, active license will not receive any software upgrades. If you require a new license, please contact your sales team or representative. The contact information is in the Meraki Dashboard under Help > Get Help. The policy and procedure for devices that have reached the end-of-support milestone are detailed on the Support Policies ["https://meraki.cisco.com/support/#policies:eol"] page. Fixed Releases Product Fixed Release Meraki MR MR 24 firmware - 24.13 or later MR 25 firmware - 25.11 or later Meraki MS MS 9 firmware - 9.37 or later MS 10 firmware - 10.20 or later Meraki MX and Meraki Z1/Z3 MX 13 firmware - 13.32 or later MX 14 firmware - 14.25 or later MX 15 firmware - 15.7 or later
Vulnerability Policy
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. The Cisco Meraki Security Vulnerability Rewards Program ["https://meraki.cisco.com/trust#srp"] page describes this program and how to participate.
Exploitation and Public Announcements
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
Source
This vulnerability was found by an external researcher and reported to Cisco Meraki through the Cisco Meraki Security Vulnerability Rewards Program ["https://meraki.cisco.com/trust#srp"].
Legal Disclaimer
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.


To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "summary": "This vulnerability was found by an external researcher and reported to Cisco Meraki through the Cisco Meraki Security Vulnerability Rewards Program [\"https://meraki.cisco.com/trust#srp\"]."
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "notes": [
      {
        "category": "summary",
        "text": "A vulnerability in the local status page functionality of the Cisco Meraki MR, MS, MX, Z1, and Z3 product lines could allow an authenticated, remote attacker to modify device configuration files.\r\n\r\nThe vulnerability occurs when handling requests to the local status page. An exploit could allow the attacker to establish an interactive session to the device with elevated privileges. The attacker could then use the elevated privileges to further compromise the device or obtain additional configuration data from the device that is being exploited.\r\n\r\n\r\n Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\r\n\r\nThis advisory is available at the following link:\r\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki\"]",
        "title": "Summary"
      },
      {
        "category": "general",
        "text": "All Cisco Meraki products in the following list are affected by this vulnerability when the local status page feature is enabled and the device is running a software release prior to a fixed release listed in the Fixed Software [\"#fs\"] section of this advisory:\r\n\r\nMR devices\r\nMS devices\r\nMX devices (includes physical devices and the vMX100 virtual appliance)\r\nZ1 and Z3 devices\r\n\r\n  Note: The local status page feature is enabled by default on all Cisco Meraki software releases for the products in the preceding list.",
        "title": "Vulnerable Products"
      },
      {
        "category": "general",
        "text": "Only products listed in the Vulnerable Products [\"#vp\"] section of this advisory are known to be affected by this vulnerability.\r\n\r\nCisco has confirmed that this vulnerability does not affect any Cisco wireless products except the Cisco Meraki products listed in the Vulnerable Products [\"#vp\"] section.\r\n\r\nCisco has confirmed that this vulnerability does not affect the following Cisco Meraki products:\r\n\r\nCisco Meraki Insight (MI)\r\nCisco Meraki MC family of VoIP phones\r\nCisco Meraki MV family of security cameras\r\nCisco Meraki Systems Manager (SM)",
        "title": "Products Confirmed Not Vulnerable"
      },
      {
        "category": "general",
        "text": "Although there are no workarounds that will allow customers to continue using the local status page and eliminate the attack vector for this vulnerability, disabling the local status page would eliminate the attack vector and prevent the vulnerability from being exploited. Customers are advised to consider their own environment needs to determine whether disabling the local status page is a feasible mitigation for preventing exploitation of unpatched devices.\r\n\r\nCustomers with access to the Meraki Dashboard can use the following instructions to disable the local status page: Disabling the Local Status Page [\"https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Meraki_Device_Local_Status_Page#Disabling_the_Local_Status_Page\"].\r\n\r\nNote: Disabling the local status page can result in limited functionality in some scenarios. Consult the preceding link for information about the possible negative impact of disabling the local status page.",
        "title": "Workarounds"
      },
      {
        "category": "general",
        "text": "Cisco Meraki has released software updates that address the vulnerability described in this advisory. Cisco Meraki provides software updates for all devices with a valid and active license, and there is no other requirement to receive such updates, as described in our End Customer Agreement. Devices without a valid, active license will not receive any software upgrades. If you require a new license, please contact your sales team or representative. The contact information is in the Meraki Dashboard under Help \u003e Get Help.\r\n\r\nThe policy and procedure for devices that have reached the end-of-support milestone are detailed on the Support Policies [\"https://meraki.cisco.com/support/#policies:eol\"] page.\r\n  Fixed Releases                                Product              Fixed Release                                              Meraki MR\r\n              MR 24 firmware - 24.13 or later\r\n                                  MR 25 firmware - 25.11 or later\r\n                                  Meraki MS\r\n              MS 9 firmware - 9.37 or later\r\n                                  MS 10 firmware - 10.20 or later\r\n                                  Meraki MX and Meraki Z1/Z3              MX 13 firmware - 13.32 or later\r\n                                  MX 14 firmware - 14.25 or later                                   MX 15 firmware - 15.7 or later",
        "title": "Fixed Software"
      },
      {
        "category": "general",
        "text": "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.\r\n\r\nThe Cisco Meraki Security Vulnerability Rewards Program [\"https://meraki.cisco.com/trust#srp\"] page describes this program and how to participate.",
        "title": "Vulnerability Policy"
      },
      {
        "category": "general",
        "text": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.",
        "title": "Exploitation and Public Announcements"
      },
      {
        "category": "general",
        "text": "This vulnerability was found by an external researcher and reported to Cisco Meraki through the Cisco Meraki Security Vulnerability Rewards Program [\"https://meraki.cisco.com/trust#srp\"].",
        "title": "Source"
      },
      {
        "category": "legal_disclaimer",
        "text": "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.",
        "title": "Legal Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "Emergency Support:\r\n+1 877 228 7302 (toll-free within North America)\r\n+1 408 525 6532 (International direct-dial)\r\nNon-emergency Support:\r\nEmail: psirt@cisco.com\r\nSupport requests that are received via e-mail are typically acknowledged within 48 hours.",
      "issuing_authority": "Cisco product security incident response is the responsibility of the Cisco Product Security Incident Response Team (PSIRT). The Cisco PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks. The on-call Cisco PSIRT works 24x7 with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks.\r\nMore information can be found in Cisco Security Vulnerability Policy available at https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html",
      "name": "Cisco",
      "namespace": "https://wwww.cisco.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "Cisco Meraki Local Status Page Privilege Escalation Vulnerability",
        "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki"
      },
      {
        "category": "external",
        "summary": "Cisco Security Vulnerability Policy",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
      },
      {
        "category": "external",
        "summary": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki",
        "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki"
      },
      {
        "category": "external",
        "summary": "Disabling the Local Status Page",
        "url": "https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Meraki_Device_Local_Status_Page#Disabling_the_Local_Status_Page"
      },
      {
        "category": "external",
        "summary": "Support Policies",
        "url": "https://meraki.cisco.com/support/#policies:eol"
      },
      {
        "category": "external",
        "summary": "Security Vulnerability Policy",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
      },
      {
        "category": "external",
        "summary": "Cisco Meraki Security Vulnerability Rewards Program",
        "url": "https://meraki.cisco.com/trust#srp"
      },
      {
        "category": "external",
        "summary": "Cisco Meraki Security Vulnerability Rewards Program",
        "url": "https://meraki.cisco.com/trust#srp"
      }
    ],
    "title": "Cisco Meraki Local Status Page Privilege Escalation Vulnerability",
    "tracking": {
      "current_release_date": "2018-11-07T16:00:00+00:00",
      "generator": {
        "date": "2022-09-03T03:18:19+00:00",
        "engine": {
          "name": "TVCE"
        }
      },
      "id": "cisco-sa-20181107-meraki",
      "initial_release_date": "2018-11-07T16:00:00+00:00",
      "revision_history": [
        {
          "date": "2018-11-07T01:04:44+00:00",
          "number": "1.0.0",
          "summary": "Initial public release."
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_family",
            "name": "Cisco Meraki MR Firmware",
            "product": {
              "name": "Cisco Meraki MR Firmware ",
              "product_id": "CSAFPID-204723"
            }
          }
        ],
        "category": "vendor",
        "name": "Cisco"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-0284",
      "notes": [
        {
          "category": "other",
          "text": "Complete.",
          "title": "Affected Product Comprehensiveness"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-204723"
        ]
      },
      "release_date": "2018-11-07T16:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Cisco has released software updates that address this vulnerability.",
          "product_ids": [
            "CSAFPID-204723"
          ],
          "url": "https://software.cisco.com"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-204723"
          ]
        }
      ],
      "title": "Cisco Meraki Local Status Page Privilege Escalation Vulnerability"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.