Vulnerability identifier: #VU15772
Vulnerability risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-264
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Meraki Z3
Hardware solutions /
Firmware
Meraki Z1
Hardware solutions /
Firmware
Meraki MX
Hardware solutions /
Firmware
Meraki MS
Hardware solutions /
Firmware
Meraki MR
Hardware solutions /
Firmware
Vendor: Cisco Systems, Inc
Description
The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.
The vulnerability exists in the local status page functionality due to an error when handling requests to the local status page. A remote unauthenticated attacker can establish an interactive session, gain elevated privileges to further compromise the device or obtain additional configuration data from the device that is being exploited.
Mitigation
Update Meraki MR to version 9.37, 24.13, 25.1.
Update Meraki MS to version 9.37, 10.20.
Update Meraki MX to version 14.25, 15.7.
Update Meraki Z1 to version 14.25, 15.7.
Update Meraki Z3 to version 14.25, 15.7.
Vulnerable software versions
Meraki Z3: All versions
Meraki Z1: All versions
Meraki MX: All versions
Meraki MS: All versions
Meraki MR: All versions
External links
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.