Cisco Meraki Customer Advisories

 


November 2018


SECURITY Local Status Page Vulnerability

Summary

A vulnerability was discovered on MX, MS and MR Cisco Meraki devices that provide the option of logging in using a Local Status Page. This page is typically used for a few key configuration options needed to get devices connected to the cloud either on initial set up or after moving/changing configurations upstream. The vulnerability allows an attacker to inject configuration options and data into the device via this page. The attacker would require either physical access to the device or local network access and knowledge of the credentials for the local status page to exploit this vulnerability.

Scope

Affected products include all models in the MX, MS, and MR Product lines. It is only possible to exploit this vulnerability if the local status page is enabled on the device, if the attacker can gain either local network access or physical access to the device, and if the attacker has knowledge of the credentials set to authenticate on the local status page. Each exploit attempt would be scoped on a per-device basis given these requirements.

Action

Cisco Meraki has released new stable firmware across all affected platforms with fixes for this vulnerability. Further details are available in the changelog firmware notes for each affected product, which can be found in the Meraki dashboard. If you are unable to immediately upgrade the firmware on your device you can disable the local status page or change the credentials to include a complex password to help protect your devices while you schedule firmware upgrades. We have put a document on the Local Status Page Vulnerability together and Cisco PSIRT has issued an advisory that will provide you with additional information about this issue.

 


 

SECURITY BLE Chipset Memory Vulnerability

Summary

A security vulnerability has been identified with the Bluetooth Low Energy (BLE) chipset embedded in select MR Access Points. This vulnerability can cause memory corruption which could lead to Remote Code Execution (RCE) on the main CPU of an embedded device, and the potential to access other devices across a network if the origin within a networked device. This vulnerability can only be exploited if the attacker is within physical proximity of the device, while the MR Access Point is in BLE-scanning mode.

The Meraki engineering team has not been able to internally replicate this vulnerability under a diverse set of situations and environments.

Scope

The MR30H, MR33, MR42E, MR53E, and MR74 are the only potentially affected MR Access Points models. These APs use a specific chipset for BLE operations that are known to be affected by this vulnerability.

All Meraki MR Access Points have been designed carefully to minimize exposure to such an issue with BLE. After significant testing, Meraki engineering has not been able to reproduce this issue on our Access Points, and based on our current information Meraki MR Access Points are not significantly at risk to the described vulnerability.

Action

Networks containing MR30H, MR33, and MR74 can be upgraded to MR25.13, which contains a security patch for the BLE chipset identified in the vulnerability.


For networks with MR42E or MR53E APs, remediation will be available as part of the upcoming MR26.0 release, that contains the BLE chipset vulnerability patch. In the interim, customers can temporarily disable BLE scanning functionality. The process for disabling the feature can be found in our Bluetooth Low Energy (BLE) documentation.


August 2018


MS225 and MS210 Product Shipping Hold

(Posted August 1, 2018 – Updated August 27, 2018)

Summary

After completing an investigation into the MS225-48LP, MS225-48FP, MS210-48LP, and MS210-48FP switch models, we confirmed that there is an issue with the fan component in these models. We have redesigned and tested the switch with new fan hardware that is both more powerful and quieter than the previous component that caused issues. Beginning October 2018 we are proactively replacing the exposed units with the improved design. For more details refer to: MS225/MS210-48LP/FP Proactive Replacement

Scope

This issue affects MS225-48LP, MS225-48FP, MS210-48LP, and MS210-48FP models.

Action

During the week of August 27, affected customers will be notified with an email that includes instructions. Customers may navigate to Help > Hardware replacements on the Meraki dashboard to determine if they are affected. From this page, they can follow instructions to request a free replacement. In addition to hardware replacement, there is also a firmware remediation that can extend the life of the switch.

 


 

SECURITY WPA/WPA2-PSK and 802.11r PMKID Vulnerability

Summary

On August 4, 2018, a new method to exploit a known vulnerability was announced by Jens Steube from the Hashcat project for wireless networks that use WPA/WPA2-PSK (pre-shared key), allowing attackers to obtain the PSK being used for the particular SSID.

Scope

The vulnerability affects most wireless vendors using roaming technologies, including Cisco Meraki. Our teams have completed a thorough investigation to validate our initial findings. Only customers using fast roam (802.11r) with WPA/WPA2-PSK are affected when using Meraki APs.

Action

Meraki has notified all affected customers via email and also made a tool available to affected customers in dashboard under Announcements > KRACK & PMKID Vulnerability Impact. The tool will allow affected customers to gauge impact in a single location rather than checking each SSID to check their configuration.

For additional details about the attack and our updates, please refer to our public-facing FAQ.

For more technical information, please see Cisco’s Product Security Incident Response Team (PSIRT) vulnerability disclosure.

 


May 2018


SECURITY VPNFilter

Summary

VPNFilter is a malware program that infiltrates vulnerable devices for the purpose of file collection, code execution, and data export. It targets small and home office devices and can potentially result in the device being unusable. 

Scope

At this point in time, no Meraki devices are known to be affected and customers that have MXs with the Advanced Security license and IPS (Snort) enabled can keep their networks safe from this malware. Our teams are currently running a thorough investigation to validate our initial findings.

Action

The latest VPNFilter Snort signatures uploaded by the Talos team were pushed to the entire population of MXs in less than a day. Customers that have the Advanced Security license and have IPS enabled are already protected, as these signatures have been pushed to every MX in the world. 

This attack is still being actively investigated by Cisco’s threat research team, Talos. You can find the latest information on their live blog.

We also have a live blog post on our Meraki site now about VPNFilter for publicly available information.

 


FEBRUARY 2018


SECURITY SAML Vulnerability CVE-2017-11428

Summary

A SAML vulnerability has been discovered and reported that can allow attackers with authenticated access to pivot and authenticate as a different user. The attacker can edit the SAML Assertions and alter it to authenticate with another account without knowing the password or login information. The flaw is caused in XML comment handling which allows the attacker to alter the user name and gain access to the account.

Scope

Affected customers are those with SAML Integration enabled in Dashboard and more than one trusted user with Meraki Dashboard access via SAML. This is only possible if the attacker has access to an existing account.

Action

The Cisco Meraki security team has updated our SAML services to remove this vulnerability for all users.

 


JANUARY 2018


SECURITY Samsam

Summary

Samsam is a ransomware type malware that is usually used for opportunistic attacks, leveraging open ports (e.g. RDP/VNC). The Cisco Talos team has recently identified an increase in such attacks, targeting hospitals, city councils, and ICS (Information and Computer Services) firms. The initial method for infection for these ongoing attacks is currently unknown and Talos is investigating this in order to identify it.

Scope

This ransomware has been observed across multiple industries including Government, Healthcare and ICS. These attacks do not appear to be highly targeted, and appear to be more opportunistic in nature.

Action

For Meraki MX customers with an Advanced Security License, make sure that Intrusion Prevention is enabled with the Balanced or Security ruleset. For other Meraki customers, please refer to the further details link below for guidance on best practice. Meraki always recommends to allow external access only through VPN and not by opening ports for those services.

Further details

 


SECURITY Spectre and Meltdown

Summary

Meltdown and Spectre are vulnerabilities affecting almost all computing devices, which have received widespread coverage in the public media. These vulnerabilities have been present in most processors shipped over at least the past 10 years, but have only recently come to light. Patches for the majority of desktop and mobile operating systems in common use have already been issued.

Scope

Meltdown impacts CPUs by several large component suppliers, potentially enabling access to sensitive data by a malicious program. Meraki hardware and cloud services are not impacted by these vulnerabilities.

Action

Customers using Meraki virtual machines – vMX or Virtual Concentrator – should verify that host operating systems are patched.

Further details

 


OCTOBER 2017


SECURITY Privilege Escalation Vulnerability

Summary

On October 18, 2017, Cisco Meraki corrected a technical error in the Meraki dashboard that previously made sensitive administrator authentication information available to other trusted dashboard users within the same organization. The issue allowed trusted users, with varying levels of permission, to view and access the API key and encrypted (BCrypt hashed and salted) passwords for their organization’s primary administrator. The primary administrator account is the first and/or oldest user account with full (read-write) permissions for an organization in the Meraki dashboard. This information disclosure presents the risk that less privileged users could perform API actions as though they were their organization’s primary administrator. Upon learning of the issue on October 18, 2017, Cisco Meraki immediately updated the dashboard so that the involved sensitive authentication information was no longer accessible.

If trusted users viewed the source of dashboard pages, they could have viewed the primary organization administrator’s API key and encrypted password. Cisco Meraki has no evidence to indicate that dashboard users have misused information exposed by this issue. The information, while sensitive, was only exposed to an organization’s own set of trusted users, and recovery of a usable password from its BCrypt hashed, salted version is extremely unlikely. However, a trusted user who accessed an administrator’s API key could potentially use it to change their own permissions within the Meraki dashboard. A list of administrators and permission levels and logs of changes made via the API are always available for audit within the Meraki dashboard.

Scope

Affected customers are those with more than one trusted user for the Meraki dashboard, and whose trusted users logged into dashboard between November 2016 and October 18, 2017.

Action

While risk associated with this incident is low, as a precaution, Cisco Meraki will be prompting affected administrators to update their passwords beginning on November 13, 2017. Additionally, Cisco Meraki will be directly contacting impacted primary organization administrators who have generated API keys, advising that they rotate their keys and update software using these keys at their earliest opportunity.

Further details

 


SECURITY BadRabbit Ransomware outbreak

Summary and Impact

On October 24, 2017, Cisco Talos was alerted to a widescale ransomware campaign affecting organizations across eastern Europe and Russia. This outbreak bore similarities to those seen earlier in 2017.

Scope

This outbreak did not compromise computers without user intervention.

Action

No action required for MX customers with an Advanced Security License. For other Meraki customers, please refer to the further details link below for guidance on best practice.

Further details

 


SECURITY dnsmasq Vulnerabilities CVE-2017-14491 & CVE-2017-13704

Summary and Impact

On October 2, 2017, the Google Security Team disclosed seven vulnerabilities affecting dnsmasq, a popular lightweight DNS resolver/cacher and DHCP server widely used to provide DNS and DHCP network services.

Scope

Meraki MR, MS, MX and MV utilize various versions of dnsmasq for DNS resolution services and are vulnerable to CVE-2017-14491 and CVE-2017-13704 specifically.

Action

Firmware versions which address these vulnerabilities are available for all platforms. Further details are available in the changelog firmware notes for each affected product.

 


SECURITY KRACK Wi-Fi vulnerabilities – CVE 2017-13082

Summary and Impact

On October 16, 2017, 10 new security vulnerabilities were announced that target the session establishment and management process in WPA(1/2)-PSK and Enterprise.

Scope

Of the 10 vulnerabilities, only one impacts Meraki access points for customers using 802.11r (fast roaming).

Action

Patches have been made available for Meraki access points. Customers using 802.11r either need to disable this feature or install a patch in order to eliminate risk related to this vulnerability.

Further details

 


Switch Fan Issue

Summary and Impact

On October 9th, 2017, we informed customers with certain switch models of an issue relating to the fan control system which could lead to premature unit failure. A firmware patch was issued which addresses this issue, and customers with switches exhibiting specific symptoms are being offered a free replacement switch.

Scope

All MS225-48LP/FP switch models.

Action

Organizations containing the affected switch models will see a banner in their dashboard if their switches need to be replaced. All affected switches will automatically receive a firmware upgrade. Administrators wishing to reschedule the upgrade will have the opportunity to do so.

Further details

 


AUGUST 2017


North American Object Storage Service Impact

Summary and Impact

On August 3rd, 2017, our engineering team made a configuration change that applied an erroneous policy to our North American object storage service and caused certain data uploaded prior to 11:20AM Pacific time on August 3 to be deleted. The issue was quickly remediated and is no longer occurring. In the majority of cases, this issue did not impact network operations, but had the potential to be an inconvenience as some data may have been deleted. This issue was limited to user uploaded data. Network configuration data was not impacted and no customer data was compromised.

Scope

Impacted customers will see a notification banner in the dashboard, with a link to organization-specific details.

Action

Our engineering team developed tools to help our customers specifically identify what files have been deleted from their Organization, together with tools to simplify uploading of replacement files.

Further details

 


JUNE 2017


SECURITY Nyetya (Petya) Ransomware outbreak

Summary and Impact

Based on the same SMB-related EternalBlue and EternalRomance exploits used by Wannacry, this ransomware attack is more destructive in nature.

Scope

Certain unpatched Windows systems are vulnerable.

Action

No action required for MX customers with an Advanced Security License. For other Meraki customers, please refer to the further details link below for guidance on best practice.

Further details

 


MAY 2017


SECURITY Wannacry Ransomware Outbreak

Summary and Impact

Ransomware attack exploiting a vulnerability in Windows SMB.

Scope

Certain unpatched Windows systems are vulnerable.

Action

No action required for MX customers with an Advanced Security License. For other Meraki customers, please refer to the further details link below for guidance on best practice.

Further details

 


FEBRUARY 2017


Clock Signal Component Issue

Summary and Impact

Two Meraki product lines were affected by a clock signalling component issue which could result in premature failure.

Scope

Shipments of MS350 switch models and the MX84 security appliance were affected by this issue prior to the problem being resolved in January 2017.

Action

Customers with affected units have been contacted and replacement units are being shipped.

Further details