Local Status Page Vulnerability
Vulnerability Summary
A vulnerability was discovered on certain Cisco Meraki devices that have our Local Status Page feature. This page is typically used for a few key configuration options needed to get devices connected to the cloud either on initial setup or after moving/changing configurations upstream. The vulnerability allows an attacker to inject configuration options and data into the device. The attacker would require either physical access or local network access and knowledge of the credentials for the local status page.
Impact Assessment
All Meraki MR, MS, and MX models are vulnerable. Meraki has already released firmware to address these vulnerabilities. We strongly urge customers to upgrade the firmware on affected devices to a version that includes this security fix.
Next Steps
The following options can address the issue completely or help to protect your devices.
-
Fix: Schedule a firmware upgrade for the next available maintenance window to the applicable fixed release.
-
Mitigation: Disable the local status page until the firmware of the device can be upgraded
Fixed Firmware Versions
Product Line |
Fixed Releases |
MR |
24.13 or later 25.11 or later All future major releases |
MS |
9.37 or later 10.20 or later All future major releases |
MX |
13.32 or later 14.25 or later 15.7 or later All future major releases |
Note that all current Stable, Stable Release Candidate, and Beta builds for the MX, MR, and MS product lines already have this fix implemented. Networks with automatic upgrades enabled may have already been patched.
Minimum Product Firmware Versions - Note that certain models may not be compatible with all the firmware versions listed above, and may require newer builds with the fix, rather than older builds with the fix. Please refer to our document on Minimum Product Firmware Versions for a full list.
FAQ
What is the potential impact of this vulnerability?
The potential impact is limited to the single device that the attacker has access to. It allows them to inject configuration options to the device itself. This lets the attacker write to the devices local configuration file. The attacker could write to the configuration file and grant themselves escalated privileges on that device.
How complex is it to execute this exploit?
The attacker requires authenticated access to the Local Status page. This requires them to have access to the devices on their local network and/or physical access to the device along with knowledge of the credentials for the page.
Are there steps I can take now?
Disabling access to the Local Status page under Network Wide > General. There will be a drop down where you can disable the page. Disabling the page will block the attacker from being able to authenticate and gain the level of access needed to exploit the vulnerability. A link to our documentation explaining this process can be found here.
How do I secure my network against these vulnerabilities?
We recommend setting unique credentials for the Local Status Page so it is no longer the default Serial Number of the device. We strongly urge you to upgrade firmware on affected Meraki products to a release that contains the patch. For information on patched versions, please refer the “Fix Information” section above.
Is there a tool to update the Local Status page for all my networks in bulk?
We have an API that will allow you to enable and disable the Local Status Page. We have built calls that will allow you to disable it from responding via domain name (my.meraki.com) or IP address. The API calls and information can be found under Help > API Docs > Networks > Update a Network call and Help > API Docs > Firewalled Services > Updates the accessibility settings for the given service ('ICMP', 'web', or 'SNMP') call for MXs with access enabled on the WAN interfaces.
How can I upgrade my firmware to a patched version?
Customers can use the Firmware Upgrade Tool to schedule firmware upgrades. We have a document detailing the tool here.
Are there any devices that will not have the fix available?
The Meraki Mini/Outdoor/Outdoor 2/Solar/Wallplug/MR11/MR14/MR58 Access Points and MX 50/70 Security appliances are end-of-support and do not support the firmware version mentioned above. These devices will not have the fix available. It is recommended to disable the local status page or, at a minimum, create a complex password under Network Wide > General > Device Configuration.
I have one of the old devices mentioned above and want to upgrade. What are my options?
Please reach out to your Meraki sales rep to get information on upgrade options.