Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3498 Cisco Meraki Local Status Page Privilege Escalation Vulnerability 8 November 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Meraki Local Status Publisher: Cisco Systems Operating System: Cisco Impact/Access: Increased Privileges -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-0284 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki - --------------------------BEGIN INCLUDED TEXT-------------------- Priority: High Advisory ID: cisco-sa-20181107-meraki First Published: 2018 November 7 16:00 GMT Version 1.0: Final Workarounds: No workarounds available CVE-2018-0284 CVSS Score: Base 8.8 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary * A vulnerability in the local status page functionality of the Cisco Meraki MR, MS, MX, Z1, and Z3 product lines could allow an authenticated, remote attacker to modify device configuration files. The vulnerability occurs when handling requests to the local status page. An exploit could allow the attacker to establish an interactive session to the device with elevated privileges. The attacker could then use the elevated privileges to further compromise the device or obtain additional configuration data from the device that is being exploited. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki Affected Products * Vulnerable Products All Cisco Meraki products in the following list are affected by this vulnerability when the local status page feature is enabled and the device is running a software release prior to a fixed release listed in the Fixed Software section of this advisory: + MR devices + MS devices + MX devices (includes physical devices and the vMX100 virtual appliance) + Z1 and Z3 devices Note: The local status page feature is enabled by default on all Cisco Meraki software releases for the products in the preceding list. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect any Cisco wireless products except the Cisco Meraki products listed in the Vulnerable Products section. Cisco has confirmed that this vulnerability does not affect the following Cisco Meraki products: + Cisco Meraki Insight (MI) + Cisco Meraki MC family of VoIP phones + Cisco Meraki MV family of security cameras + Cisco Meraki Systems Manager (SM) Workarounds * Although there are no workarounds that will allow customers to continue using the local status page and eliminate the attack vector for this vulnerability, disabling the local status page would eliminate the attack vector and prevent the vulnerability from being exploited. Customers are advised to consider their own environment needs to determine whether disabling the local status page is a feasible mitigation for preventing exploitation of unpatched devices. Customers with access to the Meraki Dashboard can use the following instructions to disable the local status page: Disabling the Local Status Page. Note: Disabling the local status page can result in limited functionality in some scenarios. Consult the preceding link for information about the possible negative impact of disabling the local status page. Fixed Software * Cisco Meraki has released software updates that address the vulnerability described in this advisory. Cisco Meraki provides software updates for all devices with a valid and active license, and there is no other requirement to receive such updates, as described in our End Customer Agreement. Devices without a valid, active license will not receive any software upgrades. If you require a new license, please contact your sales team or representative. The contact information is in the Meraki Dashboard under Help > Get Help. The policy and procedure for devices that have reached the end-of-support milestone are detailed on the Support Policies page. Fixed Releases Product Fixed Release Meraki MR MR 24 firmware - 24.13 or later MR 25 firmware - 25.11 or later Meraki MS MS 9 firmware - 9.37 or later MS 10 firmware - 10.20 or later MX 13 firmware - 13.32 or later Meraki MX and Meraki Z1/Z3 MX 14 firmware - 14.25 or later MX 15 firmware - 15.7 or later Exploitation and Public Announcements * The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source * This vulnerability was found by an external researcher and reported to Cisco Meraki through the Cisco Meraki Security Vulnerability Rewards Program. URL * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki Revision History * +----------------------------------------------------------------------------+ | Version | Description | Section | Status | Date | |---------+---------------------------+---------+--------+-------------------| | 1.0 | Initial public release. | - | Final | 2018-November-07 | +----------------------------------------------------------------------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW+OCLmaOgq3Tt24GAQjlbA/+KVZXKSvzHMYP4H/HD2ngmh6HLRJqCfqn IPU+7NFlk4adZX1Gh++k5B7JKbvmUfGQL/u821REd0n04oni7AJL2GeEYorgxbCe OgBAtt2SW90kRzM+AfCB69lR3dyc4JLIqTeyeZqjQFGxGjvoSlYLWncEbbLmhuXQ hHuTLo/JX36qS8HU8xuuUjxkV35MKmCjFL3KMh/io3xIZfoYEH0abY+Kxbm1H8Y4 tCQt1IYICa85xLKuj8cF9H6QhHZQN0MXJuMDsIdaj1WL9yz6XR211tgWWHp/GKic MTL0bq4ChpBdKfLJQOX+furGBpYTur0SeCEjUjCkEe03ibh+PViWJzYVOh8sgi0y o5beTXI07IcF+OeBIj3YcLSmd2xp2cRscIjt138PP2MdjTG/XGVo4TiQB+/pYsMW fs075AlCVqyQPIacOmCk1vokcMwoF1zTyEc7/2rQmVbpl7FyJag/YVcjM0oglbPG FqJUC+BJQZtU2scgTky37ezuIVnaDQU0HpQ7KJ/7cJsqsBZSS8/6wbjd1g90Trqz g+Lol8PJogRAwBZ75zpNCmsI1GHlYSp/D99IxGDNtUW88b6IVesijKixGiKX97q5 iU+yvpQQaXosZ2ExbNyFGVMZCOwS4q3F3yXj3k+pjQTaF1hSBtnPmRdZShzNVPMV 6vOTxZxfntU= =eUYL -----END PGP SIGNATURE-----