Cisco Meraki Customer Advisories

 


March 2019


SECURITY Cisco Meraki MX67and MX68 Sensitive Information Disclosure Vulnerability

Summary

A security vulnerability (CVE ID: CVE-2019-1815, CVSSv3 SCORE: Base 7.5) was discovered in the Local Status Page functionality of Cisco Meraki’s MX67 and MX68 security appliance models that may allow unauthenticated individuals to access and download logs containing sensitive, privileged device information. The vulnerability is due to improper access control to the files holding debugging and maintenance information and is only exploitable when the Local Status Page is enabled on the device. An attacker exploiting this vulnerability may obtain access to wireless pre-shared keys, Site-to-Site VPN key, and other sensitive information. Under certain circumstances, this information may allow an attacker to obtain administrator-level access to the device.

Additional information on the information disclosed can be found in the Details section of this advisory.

Details

Affected products include only the MX67 and MX68 security appliances. It is only possible to exploit this vulnerability if the Local Status Page is enabled on the device and if the attacker can gain either local network access or physical access to the device. The Local Status Page is enabled by default on affected devices. Each exploit attempt would be scoped on a per-device basis given these requirements.

An attacker able to successfully exploit this vulnerability may obtain access to sensitive

information, including but not limited to:

* Active Directory credentials (if AD integration has been configured on the device)

* wireless pre-shared keys – if configured on the device

* firmware version

* device’s configuration file

* device’s serial number

* device’s firmware version

Cisco Meraki MX67 and MX68 use the device’s serial number as default credentials to login to the Local Status Page. An attacker may be able to use this vulnerability to obtain a device’s serial number. If the default credentials have NOT been changed on the device, the attacker may be able to use this serial number to login to the device and obtain further information or change the device’s configuration.

NOTE: exploiting this vulnerability does NOT provide an attacker with the Meraki Dashboard password.

Action

Cisco Meraki strongly recommends that affected customers change all passwords and secrets entered for the MX devices for feature uses. This does not mean that customers need to change their passwords to log into Dashboard, but rather any credentials entered into Dashboard that are required to use certain features such as Site-to-Site VPN or Active Directory integrations. This step is recommended for all affected customers to ensure that the passwords and secrets in use do not have the potential to be compromised.

Cisco Meraki has released new stable firmware across all affected platforms with fixes for this vulnerability and recommends customers schedule a firmware upgrade to a fixed release at their earliest convenience. Further details are available in the changelog firmware notes for each affected product, which can be found in the Meraki Dashboard.

Customers unable to perform an immediate upgrade the firmware on their affected devices can temporarily disable the Local Status Page to protect their devices until all affected devices have been upgraded to a fixed software release. A document describing the issue in further detail for reference.

 


November 2018


SECURITY Local Status Page Vulnerability

Summary

A vulnerability was discovered on MX, MS and MR Cisco Meraki devices that provide the option of logging in using a Local Status Page. This page is typically used for a few key configuration options needed to get devices connected to the cloud either on initial set up or after moving/changing configurations upstream. The vulnerability allows an attacker to inject configuration options and data into the device via this page. The attacker would require either physical access to the device or local network access and knowledge of the credentials for the local status page to exploit this vulnerability.

Scope

Affected products include all models in the MX, MS, and MR Product lines. It is only possible to exploit this vulnerability if the local status page is enabled on the device, if the attacker can gain either local network access or physical access to the device, and if the attacker has knowledge of the credentials set to authenticate on the local status page. Each exploit attempt would be scoped on a per-device basis given these requirements.

Action

Cisco Meraki has released new stable firmware across all affected platforms with fixes for this vulnerability. Further details are available in the changelog firmware notes for each affected product, which can be found in the Meraki dashboard. If you are unable to immediately upgrade the firmware on your device you can disable the local status page or change the credentials to include a complex password to help protect your devices while you schedule firmware upgrades. We have put a document on the Local Status Page Vulnerability together and Cisco PSIRT has issued an advisory that will provide you with additional information about this issue.

 


 

SECURITY BLE Chipset Memory Vulnerability

Summary

A security vulnerability has been identified with the Bluetooth Low Energy (BLE) chipset embedded in select MR Access Points. This vulnerability can cause memory corruption which could lead to Remote Code Execution (RCE) on the main CPU of an embedded device, and the potential to access other devices across a network if the origin within a networked device. This vulnerability can only be exploited if the attacker is within physical proximity of the device, while the MR Access Point is in BLE-scanning mode.

The Meraki engineering team has not been able to internally replicate this vulnerability under a diverse set of situations and environments.

Scope

The MR30H, MR33, MR42E, MR53E, and MR74 are the only potentially affected MR Access Points models. These APs use a specific chipset for BLE operations that are known to be affected by this vulnerability.

All Meraki MR Access Points have been designed carefully to minimize exposure to such an issue with BLE. After significant testing, Meraki engineering has not been able to reproduce this issue on our Access Points, and based on our current information Meraki MR Access Points are not significantly at risk to the described vulnerability.

Action

Networks containing MR30H, MR33, and MR74 can be upgraded to MR25.13, which contains a security patch for the BLE chipset identified in the vulnerability. Networks containing MR42E and MR53E APs can be upgraded or MR26.1 to apply the security patch for these specific models.

In the interim, customers can temporarily disable BLE scanning functionality while planning the necessary firmware upgrades. The process for disabling the feature can be found in our Bluetooth Low Energy (BLE) documentation.


August 2018


MS225 and MS210 Product Shipping Hold

(Posted August 1, 2018 – Updated August 27, 2018)

Summary

After completing an investigation into the MS225-48LP, MS225-48FP, MS210-48LP, and MS210-48FP switch models, we confirmed that there is an issue with the fan component in these models. We have redesigned and tested the switch with new fan hardware that is both more powerful and quieter than the previous component that caused issues. Beginning October 2018 we are proactively replacing the exposed units with the improved design. For more details refer to: MS225/MS210-48LP/FP Proactive Replacement

Scope

This issue affects MS225-48LP, MS225-48FP, MS210-48LP, and MS210-48FP models.

Action

During the week of August 27, affected customers will be notified with an email that includes instructions. Customers may navigate to Help > Hardware replacements on the Meraki dashboard to determine if they are affected. From this page, they can follow instructions to request a free replacement. In addition to hardware replacement, there is also a firmware remediation that can extend the life of the switch.

 


 

SECURITY WPA/WPA2-PSK and 802.11r PMKID Vulnerability

Summary

On August 4, 2018, a new method to exploit a known vulnerability was announced by Jens Steube from the Hashcat project for wireless networks that use WPA/WPA2-PSK (pre-shared key), allowing attackers to obtain the PSK being used for the particular SSID.

Scope

The vulnerability affects most wireless vendors using roaming technologies, including Cisco Meraki. Our teams have completed a thorough investigation to validate our initial findings. Only customers using fast roam (802.11r) with WPA/WPA2-PSK are affected when using Meraki APs.

Action

Meraki has notified all affected customers via email and also made a tool available to affected customers in dashboard under Announcements > KRACK & PMKID Vulnerability Impact. The tool will allow affected customers to gauge impact in a single location rather than checking each SSID to check their configuration.

For additional details about the attack and our updates, please refer to our public-facing FAQ.

For more technical information, please see Cisco’s Product Security Incident Response Team (PSIRT) vulnerability disclosure.

 


May 2018


SECURITY VPNFilter

Summary

VPNFilter is a malware program that infiltrates vulnerable devices for the purpose of file collection, code execution, and data export. It targets small and home office devices and can potentially result in the device being unusable. 

Scope

At this point in time, no Meraki devices are known to be affected and customers that have MXs with the Advanced Security license and IPS (Snort) enabled can keep their networks safe from this malware. Our teams are currently running a thorough investigation to validate our initial findings.

Action

The latest VPNFilter Snort signatures uploaded by the Talos team were pushed to the entire population of MXs in less than a day. Customers that have the Advanced Security license and have IPS enabled are already protected, as these signatures have been pushed to every MX in the world. 

This attack is still being actively investigated by Cisco’s threat research team, Talos. You can find the latest information on their live blog.

We also have a live blog post on our Meraki site now about VPNFilter for publicly available information.

 


FEBRUARY 2018


SECURITY SAML Vulnerability CVE-2017-11428

Summary

A SAML vulnerability has been discovered and reported that can allow attackers with authenticated access to pivot and authenticate as a different user. The attacker can edit the SAML Assertions and alter it to authenticate with another account without knowing the password or login information. The flaw is caused in XML comment handling which allows the attacker to alter the user name and gain access to the account.

Scope

Affected customers are those with SAML Integration enabled in Dashboard and more than one trusted user with Meraki Dashboard access via SAML. This is only possible if the attacker has access to an existing account.

Action

The Cisco Meraki security team has updated our SAML services to remove this vulnerability for all users.

 


JANUARY 2018


SECURITY Samsam

Summary

Samsam is a ransomware type malware that is usually used for opportunistic attacks, leveraging open ports (e.g. RDP/VNC). The Cisco Talos team has recently identified an increase in such attacks, targeting hospitals, city councils, and ICS (Information and Computer Services) firms. The initial method for infection for these ongoing attacks is currently unknown and Talos is investigating this in order to identify it.

Scope

This ransomware has been observed across multiple industries including Government, Healthcare and ICS. These attacks do not appear to be highly targeted, and appear to be more opportunistic in nature.

Action

For Meraki MX customers with an Advanced Security License, make sure that Intrusion Prevention is enabled with the Balanced or Security ruleset. For other Meraki customers, please refer to the further details link below for guidance on best practice. Meraki always recommends to allow external access only through VPN and not by opening ports for those services.

Further details

 


SECURITY Spectre and Meltdown

Summary

Meltdown and Spectre are vulnerabilities affecting almost all computing devices, which have received widespread coverage in the public media. These vulnerabilities have been present in most processors shipped over at least the past 10 years, but have only recently come to light. Patches for the majority of desktop and mobile operating systems in common use have already been issued.

Scope

Meltdown impacts CPUs by several large component suppliers, potentially enabling access to sensitive data by a malicious program. Meraki hardware and cloud services are not impacted by these vulnerabilities.

Action

Customers using Meraki virtual machines – vMX or Virtual Concentrator – should verify that host operating systems are patched.

Further details

 


OCTOBER 2017


SECURITY Privilege Escalation Vulnerability

Summary

On October 18, 2017, Cisco Meraki corrected a technical error in the Meraki dashboard that previously made sensitive administrator authentication information available to other trusted dashboard users within the same organization. The issue allowed trusted users, with varying levels of permission, to view and access the API key and encrypted (BCrypt hashed and salted) passwords for their organization’s primary administrator. The primary administrator account is the first and/or oldest user account with full (read-write) permissions for an organization in the Meraki dashboard. This information disclosure presents the risk that less privileged users could perform API actions as though they were their organization’s primary administrator. Upon learning of the issue on October 18, 2017, Cisco Meraki immediately updated the dashboard so that the involved sensitive authentication information was no longer accessible.

If trusted users viewed the source of dashboard pages, they could have viewed the primary organization administrator’s API key and encrypted password. Cisco Meraki has no evidence to indicate that dashboard users have misused information exposed by this issue. The information, while sensitive, was only exposed to an organization’s own set of trusted users, and recovery of a usable password from its BCrypt hashed, salted version is extremely unlikely. However, a trusted user who accessed an administrator’s API key could potentially use it to change their own permissions within the Meraki dashboard. A list of administrators and permission levels and logs of changes made via the API are always available for audit within the Meraki dashboard.

Scope

Affected customers are those with more than one trusted user for the Meraki dashboard, and whose trusted users logged into dashboard between November 2016 and October 18, 2017.

Action

While risk associated with this incident is low, as a precaution, Cisco Meraki will be prompting affected administrators to update their passwords beginning on November 13, 2017. Additionally, Cisco Meraki will be directly contacting impacted primary organization administrators who have generated API keys, advising that they rotate their keys and update software using these keys at their earliest opportunity.

Further details

 


SECURITY BadRabbit Ransomware outbreak

Summary and Impact

On October 24, 2017, Cisco Talos was alerted to a widescale ransomware campaign affecting organizations across eastern Europe and Russia. This outbreak bore similarities to those seen earlier in 2017.

Scope

This outbreak did not compromise computers without user intervention.

Action

No action required for MX customers with an Advanced Security License. For other Meraki customers, please refer to the further details link below for guidance on best practice.

Further details

 


SECURITY dnsmasq Vulnerabilities CVE-2017-14491 & CVE-2017-13704

Summary and Impact

On October 2, 2017, the Google Security Team disclosed seven vulnerabilities affecting dnsmasq, a popular lightweight DNS resolver/cacher and DHCP server widely used to provide DNS and DHCP network services.

Scope

Meraki MR, MS, MX and MV utilize various versions of dnsmasq for DNS resolution services and are vulnerable to CVE-2017-14491 and CVE-2017-13704 specifically.

Action

Firmware versions which address these vulnerabilities are available for all platforms. Further details are available in the changelog firmware notes for each affected product.

 


SECURITY KRACK Wi-Fi vulnerabilities – CVE 2017-13082

Summary and Impact

On October 16, 2017, 10 new security vulnerabilities were announced that target the session establishment and management process in WPA(1/2)-PSK and Enterprise.

Scope

Of the 10 vulnerabilities, only one impacts Meraki access points for customers using 802.11r (fast roaming).

Action

Patches have been made available for Meraki access points. Customers using 802.11r either need to disable this feature or install a patch in order to eliminate risk related to this vulnerability.

Further details

 


Switch Fan Issue

Summary and Impact

On October 9th, 2017, we informed customers with certain switch models of an issue relating to the fan control system which could lead to premature unit failure. A firmware patch was issued which addresses this issue, and customers with switches exhibiting specific symptoms are being offered a free replacement switch.

Scope

All MS225-48LP/FP switch models.

Action

Organizations containing the affected switch models will see a banner in their dashboard if their switches need to be replaced. All affected switches will automatically receive a firmware upgrade. Administrators wishing to reschedule the upgrade will have the opportunity to do so.

Further details

 


AUGUST 2017


North American Object Storage Service Impact

Summary and Impact

On August 3rd, 2017, our engineering team made a configuration change that applied an erroneous policy to our North American object storage service and caused certain data uploaded prior to 11:20AM Pacific time on August 3 to be deleted. The issue was quickly remediated and is no longer occurring. In the majority of cases, this issue did not impact network operations, but had the potential to be an inconvenience as some data may have been deleted. This issue was limited to user uploaded data. Network configuration data was not impacted and no customer data was compromised.

Scope

Impacted customers will see a notification banner in the dashboard, with a link to organization-specific details.

Action

Our engineering team developed tools to help our customers specifically identify what files have been deleted from their Organization, together with tools to simplify uploading of replacement files.

Further details

 


JUNE 2017


SECURITY Nyetya (Petya) Ransomware outbreak

Summary and Impact

Based on the same SMB-related EternalBlue and EternalRomance exploits used by Wannacry, this ransomware attack is more destructive in nature.

Scope

Certain unpatched Windows systems are vulnerable.

Action

No action required for MX customers with an Advanced Security License. For other Meraki customers, please refer to the further details link below for guidance on best practice.

Further details

 


MAY 2017


SECURITY Wannacry Ransomware Outbreak

Summary and Impact

Ransomware attack exploiting a vulnerability in Windows SMB.

Scope

Certain unpatched Windows systems are vulnerable.

Action

No action required for MX customers with an Advanced Security License. For other Meraki customers, please refer to the further details link below for guidance on best practice.

Further details

 


FEBRUARY 2017


Clock Signal Component Issue

Summary and Impact

Two Meraki product lines were affected by a clock signalling component issue which could result in premature failure.

Scope

Shipments of MS350 switch models and the MX84 security appliance were affected by this issue prior to the problem being resolved in January 2017.

Action

Customers with affected units have been contacted and replacement units are being shipped.

Further details