December 2020
SECURITY SolarWinds Orion Platform Supply Chain Attack
Please note that Cisco Meraki is not impacted by the recently announced exploit in the SolarWinds Orion Monitoring software.
Some Cisco Meraki customers do use SolarWinds products to monitor their networks. We recommend that these customers follow the remediation steps provided by SolarWinds. After malicious accounts and persistence mechanisms have been removed, Cisco Meraki customers should remember to rotate any Cisco Meraki API keys inputted into SolarWinds products.
Cisco’s official advisory is available here: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-solarwinds-supply-chain-attack
April 2020
SECURITY FullMAC Wi-Fi chipsets vulnerability
Summary
A security vulnerability known as kr00k (CVE ID: CVE-2019-15126, CVSSv3 Base Score: 3.1) was disclosed for Wi-Fi client devices on February 26, 2020. Certain Cisco Meraki products from the MR product family (MR26, MR32, MR34 and MR72) and MX product family (MX64W and MX65W) use these impacted chips and are affected by this vulnerability. This vulnerability could allow a malicious party within the range of a vulnerable Wi-Fi network to capture and decrypt a small amount of sensitive wireless network data at a time.
Details
Affected Meraki Products are the MR26, MR32, MR34, MR72, MX64W and MX65W. The bug described by CVE-2019-15126 could allow a malicious party within range of a Wi-Fi Protected Access 2 (WPA2) network to capture and decrypt several kilobytes of potentially sensitive wireless network data at a time. The specific data exposed would be random, not controlled by the attacker, and based on what was being transferred wirelessly at the time between connected devices. However, a malicious party could repeat collection steps to acquire additional data. The information revealed over time to a malicious attacker would be similar to what they would see on an open WLAN network without WPA2. It is important to note that successful exploitation of this vulnerability does not allow for a full compromise of user communications. If a user’s communications are already encrypted, such as visiting websites using HTTPS or using a VPN, those communications still remain secure.
Action
We have applied a fix internally to our firmware, but we are still testing to ensure stability and performance. For additional information and fix availability dates please see, this linked documentation: FullMAC Wi-Fi chipsets vulnerability
March 2019
SECURITY Cisco Meraki MX67and MX68 Sensitive Information Disclosure Vulnerability
Summary
A security vulnerability (CVE ID: CVE-2019-1815, CVSSv3 SCORE: Base 7.5) was discovered in the Local Status Page functionality of Cisco Meraki’s MX67 and MX68 security appliance models that may allow unauthenticated individuals to access and download logs containing sensitive, privileged device information. The vulnerability is due to improper access control to the files holding debugging and maintenance information and is only exploitable when the Local Status Page is enabled on the device. An attacker exploiting this vulnerability may obtain access to wireless pre-shared keys, Site-to-Site VPN key, and other sensitive information. Under certain circumstances, this information may allow an attacker to obtain administrator-level access to the device.
Additional information on the information disclosed can be found in the Details section of this advisory.
Details
Affected products include only the MX67 and MX68 security appliances. It is only possible to exploit this vulnerability if the Local Status Page is enabled on the device and if the attacker can gain either local network access or physical access to the device. The Local Status Page is enabled by default on affected devices. Each exploit attempt would be scoped on a per-device basis given these requirements.
An attacker able to successfully exploit this vulnerability may obtain access to sensitive
information, including but not limited to:
* Active Directory credentials (if AD integration has been configured on the device)
* wireless pre-shared keys – if configured on the device
* firmware version
* device’s configuration file
* device’s serial number
* device’s firmware version
Cisco Meraki MX67 and MX68 use the device’s serial number as default credentials to login to the Local Status Page. An attacker may be able to use this vulnerability to obtain a device’s serial number. If the default credentials have NOT been changed on the device, the attacker may be able to use this serial number to login to the device and obtain further information or change the device’s configuration.
NOTE: exploiting this vulnerability does NOT provide an attacker with the Meraki Dashboard password.
Action
Cisco Meraki strongly recommends that affected customers change all passwords and secrets entered for the MX devices for feature uses. This does not mean that customers need to change their passwords to log into Dashboard, but rather any credentials entered into Dashboard that are required to use certain features such as Site-to-Site VPN or Active Directory integrations. This step is recommended for all affected customers to ensure that the passwords and secrets in use do not have the potential to be compromised.
Cisco Meraki has released new stable firmware across all affected platforms with fixes for this vulnerability and recommends customers schedule a firmware upgrade to a fixed release at their earliest convenience. Further details are available in the changelog firmware notes for each affected product, which can be found in the Meraki Dashboard.
Customers unable to perform an immediate upgrade the firmware on their affected devices can temporarily disable the Local Status Page to protect their devices until all affected devices have been upgraded to a fixed software release. A document describing the issue in further detail for reference.
November 2018
SECURITY Local Status Page Vulnerability
Summary
A vulnerability was discovered on MX, MS and MR Cisco Meraki devices that provide the option of logging in using a Local Status Page. This page is typically used for a few key configuration options needed to get devices connected to the cloud either on initial set up or after moving/changing configurations upstream. The vulnerability allows an attacker to inject configuration options and data into the device via this page. The attacker would require either physical access to the device or local network access and knowledge of the credentials for the local status page to exploit this vulnerability.
Scope
Affected products include all models in the MX, MS, and MR Product lines. It is only possible to exploit this vulnerability if the local status page is enabled on the device, if the attacker can gain either local network access or physical access to the device, and if the attacker has knowledge of the credentials set to authenticate on the local status page. Each exploit attempt would be scoped on a per-device basis given these requirements.
Action
Cisco Meraki has released new stable firmware across all affected platforms with fixes for this vulnerability. Further details are available in the changelog firmware notes for each affected product, which can be found in the Meraki dashboard. If you are unable to immediately upgrade the firmware on your device you can disable the local status page or change the credentials to include a complex password to help protect your devices while you schedule firmware upgrades. We have put a document on the Local Status Page Vulnerability together and Cisco PSIRT has issued an advisory that will provide you with additional information about this issue.
SECURITY BLE Chipset Memory Vulnerability
Summary
A security vulnerability has been identified with the Bluetooth Low Energy (BLE) chipset embedded in select MR Access Points. This vulnerability can cause memory corruption which could lead to Remote Code Execution (RCE) on the main CPU of an embedded device, and the potential to access other devices across a network if the origin within a networked device. This vulnerability can only be exploited if the attacker is within physical proximity of the device, while the MR Access Point is in BLE-scanning mode.
The Meraki engineering team has not been able to internally replicate this vulnerability under a diverse set of situations and environments.
Scope
The MR30H, MR33, MR42E, MR53E, and MR74 are the only potentially affected MR Access Points models. These APs use a specific chipset for BLE operations that are known to be affected by this vulnerability.
All Meraki MR Access Points have been designed carefully to minimize exposure to such an issue with BLE. After significant testing, Meraki engineering has not been able to reproduce this issue on our Access Points, and based on our current information Meraki MR Access Points are not significantly at risk to the described vulnerability.
Action
Networks containing MR30H, MR33, and MR74 can be upgraded to MR25.13, which contains a security patch for the BLE chipset identified in the vulnerability. Networks containing MR42E and MR53E APs can be upgraded or MR26.1 to apply the security patch for these specific models.
In the interim, customers can temporarily disable BLE scanning functionality while planning the necessary firmware upgrades. The process for disabling the feature can be found in our Bluetooth Low Energy (BLE) documentation.
August 2018
MS225 and MS210 Product Shipping Hold
(Posted August 1, 2018 – Updated August 27, 2018)
Summary
After completing an investigation into the MS225-48LP, MS225-48FP, MS210-48LP, and MS210-48FP switch models, we confirmed that there is an issue with the fan component in these models. We have redesigned and tested the switch with new fan hardware that is both more powerful and quieter than the previous component that caused issues. Beginning October 2018 we are proactively replacing the exposed units with the improved design. For more details refer to: MS225/MS210-48LP/FP Proactive Replacement
Scope
This issue affects MS225-48LP, MS225-48FP, MS210-48LP, and MS210-48FP models.
Action
During the week of August 27, affected customers will be notified with an email that includes instructions. Customers may navigate to Help > Hardware replacements on the Meraki dashboard to determine if they are affected. From this page, they can follow instructions to request a free replacement. In addition to hardware replacement, there is also a firmware remediation that can extend the life of the switch.
SECURITY WPA/WPA2-PSK and 802.11r PMKID Vulnerability
Summary
On August 4, 2018, a new method to exploit a known vulnerability was announced by Jens Steube from the Hashcat project for wireless networks that use WPA/WPA2-PSK (pre-shared key), allowing attackers to obtain the PSK being used for the particular SSID.
Scope
The vulnerability affects most wireless vendors using roaming technologies, including Cisco Meraki. Our teams have completed a thorough investigation to validate our initial findings. Only customers using fast roam (802.11r) with WPA/WPA2-PSK are affected when using Meraki APs.
Action
Meraki has notified all affected customers via email and also made a tool available to affected customers in dashboard under Announcements > KRACK & PMKID Vulnerability Impact. The tool will allow affected customers to gauge impact in a single location rather than checking each SSID to check their configuration.
For additional details about the attack and our updates, please refer to our public-facing FAQ.
For more technical information, please see Cisco’s Product Security Incident Response Team (PSIRT) vulnerability disclosure.
May 2018
SECURITY VPNFilter
Summary
VPNFilter is a malware program that infiltrates vulnerable devices for the purpose of file collection, code execution, and data export. It targets small and home office devices and can potentially result in the device being unusable.
Scope
At this point in time, no Meraki devices are known to be affected and customers that have MXs with the Advanced Security license and IPS (Snort) enabled can keep their networks safe from this malware. Our teams are currently running a thorough investigation to validate our initial findings.
Action
The latest VPNFilter Snort signatures uploaded by the Talos team were pushed to the entire population of MXs in less than a day. Customers that have the Advanced Security license and have IPS enabled are already protected, as these signatures have been pushed to every MX in the world.
This attack is still being actively investigated by Cisco’s threat research team, Talos. You can find the latest information on their live blog.
We also have a live blog post on our Meraki site now about VPNFilter for publicly available information.
FEBRUARY 2018
SECURITY SAML Vulnerability CVE-2017-11428
Summary
A SAML vulnerability has been discovered and reported that can allow attackers with authenticated access to pivot and authenticate as a different user. The attacker can edit the SAML Assertions and alter it to authenticate with another account without knowing the password or login information. The flaw is caused in XML comment handling which allows the attacker to alter the user name and gain access to the account.
Scope
Affected customers are those with SAML Integration enabled in Dashboard and more than one trusted user with Meraki Dashboard access via SAML. This is only possible if the attacker has access to an existing account.
Action
The Cisco Meraki security team has updated our SAML services to remove this vulnerability for all users.
JANUARY 2018
SECURITY Samsam
Summary
Samsam is a ransomware type malware that is usually used for opportunistic attacks, leveraging open ports (e.g. RDP/VNC). The Cisco Talos team has recently identified an increase in such attacks, targeting hospitals, city councils, and ICS (Information and Computer Services) firms. The initial method for infection for these ongoing attacks is currently unknown and Talos is investigating this in order to identify it.
Scope
This ransomware has been observed across multiple industries including Government, Healthcare and ICS. These attacks do not appear to be highly targeted, and appear to be more opportunistic in nature.
Action
For Meraki MX customers with an Advanced Security License, make sure that Intrusion Prevention is enabled with the Balanced or Security ruleset. For other Meraki customers, please refer to the further details link below for guidance on best practice. Meraki always recommends to allow external access only through VPN and not by opening ports for those services.
SECURITY Spectre and Meltdown
Summary
Meltdown and Spectre are vulnerabilities affecting almost all computing devices, which have received widespread coverage in the public media. These vulnerabilities have been present in most processors shipped over at least the past 10 years, but have only recently come to light. Patches for the majority of desktop and mobile operating systems in common use have already been issued.
Scope
Meltdown impacts CPUs by several large component suppliers, potentially enabling access to sensitive data by a malicious program. Meraki hardware and cloud services are not impacted by these vulnerabilities.
Action
Customers using Meraki virtual machines – vMX or Virtual Concentrator – should verify that host operating systems are patched.
OCTOBER 2017
SECURITY Privilege Escalation Vulnerability
Summary
On October 18, 2017, Cisco Meraki corrected a technical error in the Meraki dashboard that previously made sensitive administrator authentication information available to other trusted dashboard users within the same organization. The issue allowed trusted users, with varying levels of permission, to view and access the API key and encrypted (BCrypt hashed and salted) passwords for their organization’s primary administrator. The primary administrator account is the first and/or oldest user account with full (read-write) permissions for an organization in the Meraki dashboard. This information disclosure presents the risk that less privileged users could perform API actions as though they were their organization’s primary administrator. Upon learning of the issue on October 18, 2017, Cisco Meraki immediately updated the dashboard so that the involved sensitive authentication information was no longer accessible.
If trusted users viewed the source of dashboard pages, they could have viewed the primary organization administrator’s API key and encrypted password. Cisco Meraki has no evidence to indicate that dashboard users have misused information exposed by this issue. The information, while sensitive, was only exposed to an organization’s own set of trusted users, and recovery of a usable password from its BCrypt hashed, salted version is extremely unlikely. However, a trusted user who accessed an administrator’s API key could potentially use it to change their own permissions within the Meraki dashboard. A list of administrators and permission levels and logs of changes made via the API are always available for audit within the Meraki dashboard.
Scope
Affected customers are those with more than one trusted user for the Meraki dashboard, and whose trusted users logged into dashboard between November 2016 and October 18, 2017.
Action
While risk associated with this incident is low, as a precaution, Cisco Meraki will be prompting affected administrators to update their passwords beginning on November 13, 2017. Additionally, Cisco Meraki will be directly contacting impacted primary organization administrators who have generated API keys, advising that they rotate their keys and update software using these keys at their earliest opportunity.
SECURITY BadRabbit Ransomware outbreak
Summary and Impact
On October 24, 2017, Cisco Talos was alerted to a widescale ransomware campaign affecting organizations across eastern Europe and Russia. This outbreak bore similarities to those seen earlier in 2017.
Scope
This outbreak did not compromise computers without user intervention.
Action
No action required for MX customers with an Advanced Security License. For other Meraki customers, please refer to the further details link below for guidance on best practice.
SECURITY dnsmasq Vulnerabilities CVE-2017-14491 & CVE-2017-13704
Summary and Impact
On October 2, 2017, the Google Security Team disclosed seven vulnerabilities affecting dnsmasq, a popular lightweight DNS resolver/cacher and DHCP server widely used to provide DNS and DHCP network services.
Scope
Meraki MR, MS, MX and MV utilize various versions of dnsmasq for DNS resolution services and are vulnerable to CVE-2017-14491 and CVE-2017-13704 specifically.
Action
Firmware versions which address these vulnerabilities are available for all platforms. Further details are available in the changelog firmware notes for each affected product.
SECURITY KRACK Wi-Fi vulnerabilities – CVE 2017-13082
Summary and Impact
On October 16, 2017, 10 new security vulnerabilities were announced that target the session establishment and management process in WPA(1/2)-PSK and Enterprise.
Scope
Of the 10 vulnerabilities, only one impacts Meraki access points for customers using 802.11r (fast roaming).
Action
Patches have been made available for Meraki access points. Customers using 802.11r either need to disable this feature or install a patch in order to eliminate risk related to this vulnerability.
Switch Fan Issue
Summary and Impact
On October 9th, 2017, we informed customers with certain switch models of an issue relating to the fan control system which could lead to premature unit failure. A firmware patch was issued which addresses this issue, and customers with switches exhibiting specific symptoms are being offered a free replacement switch.
Scope
All MS225-48LP/FP switch models.
Action
Organizations containing the affected switch models will see a banner in their dashboard if their switches need to be replaced. All affected switches will automatically receive a firmware upgrade. Administrators wishing to reschedule the upgrade will have the opportunity to do so.
AUGUST 2017
North American Object Storage Service Impact
Summary and Impact
On August 3rd, 2017, our engineering team made a configuration change that applied an erroneous policy to our North American object storage service and caused certain data uploaded prior to 11:20AM Pacific time on August 3 to be deleted. The issue was quickly remediated and is no longer occurring. In the majority of cases, this issue did not impact network operations, but had the potential to be an inconvenience as some data may have been deleted. This issue was limited to user uploaded data. Network configuration data was not impacted and no customer data was compromised.
Scope
Impacted customers will see a notification banner in the dashboard, with a link to organization-specific details.
Action
Our engineering team developed tools to help our customers specifically identify what files have been deleted from their Organization, together with tools to simplify uploading of replacement files.
JUNE 2017
SECURITY Nyetya (Petya) Ransomware outbreak
Summary and Impact
Based on the same SMB-related EternalBlue and EternalRomance exploits used by Wannacry, this ransomware attack is more destructive in nature.
Scope
Certain unpatched Windows systems are vulnerable.
Action
No action required for MX customers with an Advanced Security License. For other Meraki customers, please refer to the further details link below for guidance on best practice.
MAY 2017
SECURITY Wannacry Ransomware Outbreak
Summary and Impact
Ransomware attack exploiting a vulnerability in Windows SMB.
Scope
Certain unpatched Windows systems are vulnerable.
Action
No action required for MX customers with an Advanced Security License. For other Meraki customers, please refer to the further details link below for guidance on best practice.
FEBRUARY 2017
Clock Signal Component Issue
Summary and Impact
Two Meraki product lines were affected by a clock signalling component issue which could result in premature failure.
Scope
Shipments of MS350 switch models and the MX84 security appliance were affected by this issue prior to the problem being resolved in January 2017.
Action
Customers with affected units have been contacted and replacement units are being shipped.