Skip to main content
Cisco Meraki Documentation

Cisco Meraki MX67 and MX68 Sensitive Information Disclosure Vulnerability

Vulnerability Summary

A security vulnerability (CVE ID: CVE-2019-1815, CVSSv3 SCORE: Base 7.5) was discovered in the local status page functionality of   Cisco Meraki’s MX67 and MX68 security appliance models that may allow unauthenticated individuals to access and download logs containing sensitive, privileged device information. The vulnerability is due to improper access control to the files holding debugging and maintenance information, and is only exploitable when the local status page is enabled on the device. An attacker exploiting this vulnerability may obtain access to wireless pre-shared keys, Site-to-Site VPN key and other sensitive information. Under certain circumstances, this information may allow an attacker to obtain administrative-level access to the device.

Impact Assessment

Affected products include only the MX67 and MX68 security appliances. Cisco Meraki strongly recommends that affected customers promptly schedule a firmware upgrade to a fixed release for this vulnerability, as well as change all passwords and secrets entered for the MX devices for feature uses.

Next Steps

The following options are available to address the issue and help protect your devices.

  • Fix: Schedule a firmware upgrade for the next available maintenance window to the applicable fixed release.

  • Mitigation: Temporarily disable the local status page until the firmware of the device can be upgraded

  • Prevention: Meraki strongly recommends that affected customers change all passwords and secrets entered for the MX devices for feature uses. This does not mean that customers need to change their passwords to log into Dashboard, but rather any credentials entered into Dashboard that are required to use certain features such as Site-to-Site VPN or Active Directory integrations. This step is recommended for all affected customers to ensure that the passwords and secrets in use do not have the potential to be compromised.

Fixed Firmware Details

Affected Models Fixed Releases

MX67(C/W)

MX68(C/W/WC)

14.39 or later
15.12 or later
All future major releases

FAQ

Is Cisco Meraki aware of any exploitation or public discussion of this vulnerability?

As of this publication date, Cisco Meraki is NOT aware of any active exploitation of this vulnerability, nor the public availability of any tool to exploit this vulnerability, nor details on how to exploit this vulnerability.

 

How was this found?

Through a report received through the Cisco Meraki Bug Bounty Program. More information about the Cisco Meraki Bug Bounty Program can be found here.

 

If no exploitation is known to have happened, why are you recommending to change wireless PSK/AD credentials?

Out of an abundance of caution, Cisco Meraki recommends changing all passwords and secrets entered for the MX devices.

 

What is the potential impact of this vulnerability?

The potential impact is limited to the single device that the attacker has access to. It allows them to read log files from the device itself. The attacker could then leverage this information to attack the customer’s network or gain further access based on the information they see.

 

How complex is it to execute this exploit?

The attacker requires access to the local status page to exploit this vulnerability. This requires them to have access to the devices on their local network and/or physical access to the device, along with knowledge of the page.

 

Are there steps I can take now?

We have built a page in Dashboard under Announcements > MX Sensitive Log Exposure Vulnerability that will dynamically detect and provide a list of all affected networks, templates, and devices. This will enable you to disable the local status page across all affected networks.

 

You can also do this manually by disabling access to the local status page under Network Wide > General. There will be a drop down where you can disable the page. Disabling the page will block the attacker from being able to authenticate and gain the level of access needed to exploit the vulnerability. A link to our documentation explaining this process can be found here.

 

You can also do this via the Dashboard API. We have API calls that allow you to enable and disable the local status page. We built the calls to allow you to disable it from responding via domain name (my.meraki.com) or IP address. The API calls and information can be found under Help > API Docs.

 

How do I secure my network against these vulnerabilities?

Cisco Meraki strongly recommends that affected customers promptly schedule a firmware upgrade to a fixed release for this vulnerability, as well as change all passwords and secrets entered for the MX devices for feature uses. This does not mean that customers need to change their passwords to log into Dashboard, but rather any credentials entered into Dashboard that are required to use certain features such as Site-to-Site VPN or Active Directory integrations. This step is recommended for all affected customers to ensure that the passwords and secrets in use do not have the potential to be compromised.

 

How can I upgrade my firmware to a fixed release?

Customers can use the Firmware Upgrade Tool to schedule firmware upgrades. We have a document detailing the tool here.

 

  • Was this article helpful?