Privilege escalation in Cisco Meraki

Published: 2018-11-08 14:06:46
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2018-0284
CVSSv3 7.7 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CWE ID CWE-264
Exploitation vector Network
Public exploit Not available
Vulnerable software Meraki Z3
Meraki Z1
Meraki MX
Meraki MS
Meraki MR
Vulnerable software versions Meraki Z3 -
Meraki Z1 -
Meraki MX -
Meraki MS -
Meraki MR -
Vendor URL Cisco Systems, Inc

Security Advisory

1) Privilege escalation

Description

The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.

The vulnerability exists in the local status page functionality due to an error when handling requests to the local status page. A remote unauthenticated attacker can establish an interactive session, gain elevated privileges to further compromise the device or obtain additional configuration data from the device that is being exploited.

Remediation

Update Meraki MR to version 9.37, 24.13, 25.1.
Update Meraki MS to version 9.37, 10.20.
Update Meraki MX to version 14.25, 15.7.
Update Meraki Z1 to version 14.25, 15.7.
Update Meraki Z3 to version 14.25, 15.7.

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki

Back to List