Shellshock Bash Bug: Meraki is not affected

Cisco Meraki devices and our cloud backend are not vulnerable to the Shellshock vulnerability.

As many of you are now aware, a widespread vulnerability known as Shellshock found in the Bash shell—a piece of software running on millions of computers (including most servers and computers running the Mac OS X and Linux operating systems)—has been making headlines.

It’s a nasty bug, and it’s been lurking in the Bash code for years. It’s on par with the Heartbleed vulnerability in terms of potential seriousness and the sheer number of systems that might be exposed.

Here is what Meraki customers should know: Cisco Meraki devices are not vulnerable to the ShellShock exploit as they don’t run any affected software.  Some components of the Cisco Meraki cloud backend do run software that is within the scope of this vulnerability, but were patched the day it was announced to remove any exposure.  In addition, customers using the MX Intrusion Detection and Prevention (IPS) feature with the “Balanced” or “Security” rulesets automatically received Sourcefire signatures to detect and block this vulnerability within 24 hours of the announcement.

For information on other Cisco products, please see the Cisco advisory on the Shellshock vulnerability.