Privilege escalation in Cisco Meraki
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-0284 |
| CWE-ID | CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Meraki Z3 Hardware solutions / Firmware Meraki Z1 Hardware solutions / Firmware Meraki MX Hardware solutions / Firmware Meraki MS Hardware solutions / Firmware Meraki MR Hardware solutions / Firmware |
| Vendor | Cisco Systems, Inc |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Privilege escalation
EUVDB-ID: #VU15772
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-0284
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.
The vulnerability exists in the local status page functionality due to an error when handling requests to the local status page. A remote unauthenticated attacker can establish an interactive session, gain elevated privileges to further compromise the device or obtain additional configuration data from the device that is being exploited.
MitigationUpdate Meraki MR to version 9.37, 24.13, 25.1.
Update Meraki MS to version 9.37, 10.20.
Update Meraki MX to version 14.25, 15.7.
Update Meraki Z1 to version 14.25, 15.7.
Update Meraki Z3 to version 14.25, 15.7.
Meraki Z3: before 15.7
Meraki Z1: before 15.7
Meraki MX: before 15.7
Meraki MS: before 10.20
Meraki MR: before 25.1
External linkshttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
