{ "document": { "acknowledgments": [ { "summary": "This vulnerability was found by an external researcher and reported to Cisco Meraki through the Cisco Meraki Security Vulnerability Rewards Program [\"https://meraki.cisco.com/trust#srp\"]." } ], "category": "csaf_security_advisory", "csaf_version": "2.0", "notes": [ { "category": "summary", "title": "Summary", "text": "A vulnerability in the local status page functionality of the Cisco Meraki MR, MS, MX, Z1, and Z3 product lines could allow an authenticated, remote attacker to modify device configuration files.\r\n\r\nThe vulnerability occurs when handling requests to the local status page. An exploit could allow the attacker to establish an interactive session to the device with elevated privileges. The attacker could then use the elevated privileges to further compromise the device or obtain additional configuration data from the device that is being exploited.\r\n\r\n\r\n Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\r\n\r\nThis advisory is available at the following link:\r\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki\"]" }, { "category": "general", "title": "Vulnerable Products", "text": "All Cisco Meraki products in the following list are affected by this vulnerability when the local status page feature is enabled and the device is running a software release prior to a fixed release listed in the Fixed Software [\"#fs\"] section of this advisory:\r\n\r\nMR devices\r\nMS devices\r\nMX devices (includes physical devices and the vMX100 virtual appliance)\r\nZ1 and Z3 devices\r\n\r\n Note: The local status page feature is enabled by default on all Cisco Meraki software releases for the products in the preceding list." }, { "category": "general", "title": "Products Confirmed Not Vulnerable", "text": "Only products listed in the Vulnerable Products [\"#vp\"] section of this advisory are known to be affected by this vulnerability.\r\n\r\nCisco has confirmed that this vulnerability does not affect any Cisco wireless products except the Cisco Meraki products listed in the Vulnerable Products [\"#vp\"] section.\r\n\r\nCisco has confirmed that this vulnerability does not affect the following Cisco Meraki products:\r\n\r\nCisco Meraki Insight (MI)\r\nCisco Meraki MC family of VoIP phones\r\nCisco Meraki MV family of security cameras\r\nCisco Meraki Systems Manager (SM)" }, { "category": "general", "title": "Workarounds", "text": "Although there are no workarounds that will allow customers to continue using the local status page and eliminate the attack vector for this vulnerability, disabling the local status page would eliminate the attack vector and prevent the vulnerability from being exploited. Customers are advised to consider their own environment needs to determine whether disabling the local status page is a feasible mitigation for preventing exploitation of unpatched devices.\r\n\r\nCustomers with access to the Meraki Dashboard can use the following instructions to disable the local status page: Disabling the Local Status Page [\"https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Meraki_Device_Local_Status_Page#Disabling_the_Local_Status_Page\"].\r\n\r\nNote: Disabling the local status page can result in limited functionality in some scenarios. Consult the preceding link for information about the possible negative impact of disabling the local status page." }, { "category": "general", "title": "Fixed Software", "text": "Cisco Meraki has released software updates that address the vulnerability described in this advisory. Cisco Meraki provides software updates for all devices with a valid and active license, and there is no other requirement to receive such updates, as described in our End Customer Agreement. Devices without a valid, active license will not receive any software upgrades. If you require a new license, please contact your sales team or representative. The contact information is in the Meraki Dashboard under Help > Get Help.\r\n\r\nThe policy and procedure for devices that have reached the end-of-support milestone are detailed on the Support Policies [\"https://meraki.cisco.com/support/#policies:eol\"] page.\r\n Fixed Releases Product Fixed Release Meraki MR\r\n MR 24 firmware - 24.13 or later\r\n MR 25 firmware - 25.11 or later\r\n Meraki MS\r\n MS 9 firmware - 9.37 or later\r\n MS 10 firmware - 10.20 or later\r\n Meraki MX and Meraki Z1/Z3 MX 13 firmware - 13.32 or later\r\n MX 14 firmware - 14.25 or later MX 15 firmware - 15.7 or later" }, { "category": "general", "title": "Vulnerability Policy", "text": "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.\r\n\r\nThe Cisco Meraki Security Vulnerability Rewards Program [\"https://meraki.cisco.com/trust#srp\"] page describes this program and how to participate." }, { "category": "general", "title": "Exploitation and Public Announcements", "text": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory." }, { "category": "general", "title": "Source", "text": "This vulnerability was found by an external researcher and reported to Cisco Meraki through the Cisco Meraki Security Vulnerability Rewards Program [\"https://meraki.cisco.com/trust#srp\"]." }, { "category": "legal_disclaimer", "title": "Legal Disclaimer", "text": "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products." } ], "publisher": { "category": "vendor", "contact_details": "Emergency Support:\r\n+1 877 228 7302 (toll-free within North America)\r\n+1 408 525 6532 (International direct-dial)\r\nNon-emergency Support:\r\nEmail: psirt@cisco.com\r\nSupport requests that are received via e-mail are typically acknowledged within 48 hours.", "issuing_authority": "Cisco product security incident response is the responsibility of the Cisco Product Security Incident Response Team (PSIRT). The Cisco PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks. The on-call Cisco PSIRT works 24x7 with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks.\r\nMore information can be found in Cisco Security Vulnerability Policy available at https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html", "name": "Cisco", "namespace": "https://wwww.cisco.com" }, "references": [ { "category": "self", "summary": "Cisco Meraki Local Status Page Privilege Escalation Vulnerability", "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki" }, { "category": "external", "summary": "Cisco Security Vulnerability Policy", "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html" }, { "category": "external", "summary": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki", "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki" }, { "category": "external", "summary": "Disabling the Local Status Page", "url": "https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Meraki_Device_Local_Status_Page#Disabling_the_Local_Status_Page" }, { "category": "external", "summary": "Support Policies", "url": "https://meraki.cisco.com/support/#policies:eol" }, { "category": "external", "summary": "Security Vulnerability Policy", "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html" }, { "category": "external", "summary": "Cisco Meraki Security Vulnerability Rewards Program", "url": "https://meraki.cisco.com/trust#srp" }, { "category": "external", "summary": "Cisco Meraki Security Vulnerability Rewards Program", "url": "https://meraki.cisco.com/trust#srp" } ], "title": "Cisco Meraki Local Status Page Privilege Escalation Vulnerability", "tracking": { "current_release_date": "2018-11-07T16:00:00+00:00", "generator": { "date": "2022-09-03T03:18:19+00:00", "engine": { "name": "TVCE" } }, "id": "cisco-sa-20181107-meraki", "initial_release_date": "2018-11-07T16:00:00+00:00", "revision_history": [ { "date": "2018-11-07T01:04:44+00:00", "number": "1.0.0", "summary": "Initial public release." } ], "status": "final", "version": "1.0.0" } }, "product_tree": { "branches": [ { "name": "Cisco", "category": "vendor", "branches": [ { "name": "Cisco Meraki MR Firmware", "category": "product_family", "product": { "name": "Cisco Meraki MR Firmware ", "product_id": "CSAFPID-204723" } } ] } ] }, "vulnerabilities": [ { "cve": "CVE-2018-0284", "notes": [ { "category": "other", "title": "Affected Product Comprehensiveness", "text": "Complete." } ], "product_status": { "known_affected": [ "CSAFPID-204723" ] }, "release_date": "2018-11-07T16:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "Cisco has released software updates that address this vulnerability.", "product_ids": [ "CSAFPID-204723" ], "url": "https://software.cisco.com" } ], "scores": [ { "cvss_v3": { "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "CSAFPID-204723" ] } ], "title": "Cisco Meraki Local Status Page Privilege Escalation Vulnerability" } ] }