Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

     Cisco Meraki Local Status Page Privilege Escalation Vulnerability
                              8 November 2018


        AusCERT Security Bulletin Summary

Product:           Cisco Meraki Local Status
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Increased Privileges -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-0284  

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Priority: High
Advisory ID: cisco-sa-20181107-meraki
First Published: 2018 November 7 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available

CVSS Score:
Base 8.8


    A vulnerability in the local status page functionality of the Cisco Meraki
    MR, MS, MX, Z1, and Z3 product lines could allow an authenticated, remote
    attacker to modify device configuration files.

    The vulnerability occurs when handling requests to the local status page.
    An exploit could allow the attacker to establish an interactive session to
    the device with elevated privileges. The attacker could then use the
    elevated privileges to further compromise the device or obtain additional
    configuration data from the device that is being exploited.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:

Affected Products

  * Vulnerable Products

    All Cisco Meraki products in the following list are affected by this
    vulnerability when the local status page feature is enabled and the device
    is running a software release prior to a fixed release listed in the Fixed
    Software section of this advisory:

      + MR devices
      + MS devices
      + MX devices (includes physical devices and the vMX100 virtual appliance)
      + Z1 and Z3 devices

    Note: The local status page feature is enabled by default on all Cisco
    Meraki software releases for the products in the preceding list.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect any Cisco
    wireless products except the Cisco Meraki products listed in the Vulnerable
    Products section.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco Meraki products:

      + Cisco Meraki Insight (MI)
      + Cisco Meraki MC family of VoIP phones
      + Cisco Meraki MV family of security cameras
      + Cisco Meraki Systems Manager (SM)


  * Although there are no workarounds that will allow customers to continue
    using the local status page and eliminate the attack vector for this
    vulnerability, disabling the local status page would eliminate the attack
    vector and prevent the vulnerability from being exploited. Customers are
    advised to consider their own environment needs to determine whether
    disabling the local status page is a feasible mitigation for preventing
    exploitation of unpatched devices.

    Customers with access to the Meraki Dashboard can use the following
    instructions to disable the local status page: Disabling the Local Status

    Note: Disabling the local status page can result in limited functionality
    in some scenarios. Consult the preceding link for information about the
    possible negative impact of disabling the local status page.

Fixed Software

  * Cisco Meraki has released software updates that address the vulnerability
    described in this advisory. Cisco Meraki provides software updates for all
    devices with a valid and active license, and there is no other requirement
    to receive such updates, as described in our End Customer Agreement.
    Devices without a valid, active license will not receive any software
    upgrades. If you require a new license, please contact your sales team or
    representative. The contact information is in the Meraki Dashboard under
    Help > Get Help.

    The policy and procedure for devices that have reached the end-of-support
    milestone are detailed on the Support Policies page.

    Fixed Releases

    Product                              Fixed Release
    Meraki MR                            MR 24 firmware - 24.13 or later
                                         MR 25 firmware - 25.11 or later
    Meraki MS                            MS 9 firmware - 9.37 or later
                                         MS 10 firmware - 10.20 or later
                                         MX 13 firmware - 13.32 or later
    Meraki MX and Meraki Z1/Z3           MX 14 firmware - 14.25 or later
                                         MX 15 firmware - 15.7 or later

Exploitation and Public Announcements

  * The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.


  * This vulnerability was found by an external researcher and reported to
    Cisco Meraki through the Cisco Meraki Security Vulnerability Rewards


  * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki

Revision History

    | Version |        Description        | Section | Status |       Date        |
    | 1.0     | Initial public release.   | -       | Final  | 2018-November-07  |

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967