Vulnerability identifier: #VU15772

Vulnerability risk: Low

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0284

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Meraki Z3
Hardware solutions / Firmware
Meraki Z1
Hardware solutions / Firmware
Meraki MX
Hardware solutions / Firmware
Meraki MS
Hardware solutions / Firmware
Meraki MR
Hardware solutions / Firmware

Vendor: Cisco Systems, Inc

Description

The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.

The vulnerability exists in the local status page functionality due to an error when handling requests to the local status page. A remote unauthenticated attacker can establish an interactive session, gain elevated privileges to further compromise the device or obtain additional configuration data from the device that is being exploited.

Mitigation
Update Meraki MR to version 9.37, 24.13, 25.1.
Update Meraki MS to version 9.37, 10.20.
Update Meraki MX to version 14.25, 15.7.
Update Meraki Z1 to version 14.25, 15.7.
Update Meraki Z3 to version 14.25, 15.7.

Vulnerable software versions

Meraki Z3: All versions

Meraki Z1: All versions

Meraki MX: All versions

Meraki MS: All versions

Meraki MR: All versions

---

External links
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.