{
  "document": {
    "acknowledgments": [
      {
        "summary": "Cisco Meraki would like to thank Mohammed Adel of Safe Decision Cybersecurity Labs for the suggestion to raise awareness of LSP factory default credentials among Cisco Meraki customers."
      }
    ],
    "category": "csaf_informational_advisory",
    "csaf_version": "2.0",
    "notes": [
      {
        "category": "summary",
        "text": "Cisco Meraki devices implement a Local Status Page (LSP) feature. This is a web-based interface that is primarily intended to provide administrators with the ability to apply configuration settings that are required for the device to connect to the Cisco Meraki Dashboard, perform local troubleshooting, or monitor the device status.\r\n\r\nThe LSP requires authentication. When configured with the factory default settings, credentials for the LSP are comprised of the device hardware serial number as the username and an empty password. An attacker can take advantage of the low entropy of the default credentials as well as the lack of a mechanism that limits login attempts to carry out a brute-force attack against the LSP authentication form. If successful, the attacker may gain unauthorized access to the LSP and use it to modify sensitive configuration options, cause a denial of service (DoS) condition, or obtain low-privileged information.\r\n\r\nThe LSP is enabled by default.\r\n\r\nNote: The hardware serial number is visible on the device surface and is printed on the shipment packaging.\r\n\r\n",
        "title": "Summary"
      },
      {
        "category": "general",
        "text": "Cisco Meraki devices are designed to be fully managed through a cloud management interface (Meraki Dashboard). In addition, Cisco Meraki devices include the LSP feature, which is a web administrative interface that is hosted locally on the device. The LSP feature is typically used during initial setup to apply configuration options that are needed for the device to connect to the Cisco Meraki Dashboard, monitor device status and utilization, and perform local troubleshooting.\r\n\r\nThe target audience for this informational advisory is Cisco Meraki customers who either have the LSP deployed with the factory default configuration or are unaware that the feature is available on their devices.",
        "title": "Details"
      },
      {
        "category": "general",
        "text": "Cisco Meraki strongly encourages administrators who have the LSP capability set with the factory default credentials to review the configuration settings and change the factory default password to a strong password.\r\n\r\nTo modify the LSP factory default credentials, do the following:\r\n\r\nLog in to the Cisco Meraki dashboard.\r\nNavigate to Network-wide \u003e General \u003e Device configuration.\r\nConfigure the Local credentials field with a user-defined strong password. This password and the username admin will be used as LSP credentials for all devices that belong to the network under configuration.\r\n\r\nNote: The LSP can be disabled by a configuration change in the Cisco Meraki Dashboard. However, regardless of the setting, the LSP will remain active on devices that are equipped with a physical management port. Therefore, Cisco Meraki recommends that administrators change the factory default credentials.\r\n\r\nThe steps for changing the default password of the Local Status Page are outlined in the following document: Using the Cisco Meraki Device Local Status Page. [\"https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Meraki_Device_Local_Status_Page#Configuring_the_Local_Status_Page\"]",
        "title": "Recommendations"
      },
      {
        "category": "general",
        "text": "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.",
        "title": "Vulnerability Policy"
      },
      {
        "category": "general",
        "text": "Cisco Meraki would like to thank Mohammed Adel of Safe Decision Cybersecurity Labs for the suggestion to raise awareness of LSP factory default credentials among Cisco Meraki customers.",
        "title": "Source"
      },
      {
        "category": "legal_disclaimer",
        "text": "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.",
        "title": "Legal Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "Emergency Support:\r\n+1 877 228 7302 (toll-free within North America)\r\n+1 408 525 6532 (International direct-dial)\r\nNon-emergency Support:\r\nEmail: psirt@cisco.com\r\nSupport requests that are received via e-mail are typically acknowledged within 48 hours.",
      "issuing_authority": "Cisco product security incident response is the responsibility of the Cisco Product Security Incident Response Team (PSIRT). The Cisco PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks. The on-call Cisco PSIRT works 24x7 with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks.\r\nMore information can be found in Cisco Security Vulnerability Policy available at https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html",
      "name": "Cisco",
      "namespace": "https://wwww.cisco.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "Cisco Meraki Local Status Page Configuration Hardening",
        "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-lsp-7xySn6pj"
      },
      {
        "category": "external",
        "summary": "Cisco Security Vulnerability Policy",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
      },
      {
        "category": "external",
        "summary": "Using the Cisco Meraki Device Local Status Page.",
        "url": "https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Meraki_Device_Local_Status_Page#Configuring_the_Local_Status_Page"
      },
      {
        "category": "external",
        "summary": "Security Vulnerability Policy",
        "url": "http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html"
      }
    ],
    "title": "Cisco Meraki Local Status Page Configuration Hardening",
    "tracking": {
      "current_release_date": "2023-04-05T16:00:00+00:00",
      "generator": {
        "date": "2023-04-05T15:47:43+00:00",
        "engine": {
          "name": "TVCE"
        }
      },
      "id": "cisco-sa-meraki-lsp-7xySn6pj",
      "initial_release_date": "2023-04-05T16:00:00+00:00",
      "revision_history": [
        {
          "date": "2023-04-05T15:47:19+00:00",
          "number": "1.0.0",
          "summary": "Initial public release."
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  }
}