CVE-2018-0284

Cisco Meraki Local Status Page Privilege Escalation Vulnerability

Severity Score

6.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability in the local status page functionality of the Cisco Meraki MR, MS, MX, Z1, and Z3 product lines could allow an authenticated, remote attacker to modify device configuration files. The vulnerability occurs when handling requests to the local status page. An exploit could allow the attacker to establish an interactive session to the device with elevated privileges. The attacker could then use the elevated privileges to further compromise the device or obtain additional configuration data from the device that is being exploited.

Una vulnerabilidad en la funcionalidad de la página de estado local de las líneas de productos MR, MS, MX, Z1 y Z3 de Cisco Meraki podría permitir que un atacante remoto autenticado modifique los archivos de configuración del dispositivo. La vulnerabilidad se produce cuando se gestionan las solicitudes a la página de estado local. Su explotación podría permitir al atacante establecer una sesión interactiva en el dispositivo con privilegios elevados. El atacante podría entonces utilizar los privilegios elevados para comprometer aún más el dispositivo u obtener datos de configuración adicionales del dispositivo que se está explotando.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-11-27 CVE Reserved
2018-11-08 CVE Published
2024-09-16 EPSS Updated
2024-09-17 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-264: Permissions, Privileges, and Access Controls

CAPEC

References (2)

URL	Tag	Source
http://www.securityfocus.com/bid/105878	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki	2019-10-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cisco Search vendor "Cisco"	Meraki Mr 24 Firmware Search vendor "Cisco" for product "Meraki Mr 24 Firmware"	< 24.13 Search vendor "Cisco" for product "Meraki Mr 24 Firmware" and version " < 24.13"	-	Affected	in	Cisco Search vendor "Cisco"	Meraki Mr Search vendor "Cisco" for product "Meraki Mr"	-	-	Safe
Cisco Search vendor "Cisco"	Meraki Mr 25 Firmware Search vendor "Cisco" for product "Meraki Mr 25 Firmware"	< 25.11 Search vendor "Cisco" for product "Meraki Mr 25 Firmware" and version " < 25.11"	-	Affected	in	Cisco Search vendor "Cisco"	Meraki Mr Search vendor "Cisco" for product "Meraki Mr"	-	-	Safe
Cisco Search vendor "Cisco"	Meraki Ms 10 Firmware Search vendor "Cisco" for product "Meraki Ms 10 Firmware"	< 10.20 Search vendor "Cisco" for product "Meraki Ms 10 Firmware" and version " < 10.20"	-	Affected	in	Cisco Search vendor "Cisco"	Meraki Ms Search vendor "Cisco" for product "Meraki Ms"	-	-	Safe
Cisco Search vendor "Cisco"	Meraki Ms 9 Firmware Search vendor "Cisco" for product "Meraki Ms 9 Firmware"	< 9.37 Search vendor "Cisco" for product "Meraki Ms 9 Firmware" and version " < 9.37"	-	Affected	in	Cisco Search vendor "Cisco"	Meraki Ms Search vendor "Cisco" for product "Meraki Ms"	-	-	Safe
Cisco Search vendor "Cisco"	Meraki Mx 13 Firmware Search vendor "Cisco" for product "Meraki Mx 13 Firmware"	< 13.32 Search vendor "Cisco" for product "Meraki Mx 13 Firmware" and version " < 13.32"	-	Affected	in	Cisco Search vendor "Cisco"	Meraki Mx Search vendor "Cisco" for product "Meraki Mx"	-	-	Safe
Cisco Search vendor "Cisco"	Meraki Mx 14 Firmware Search vendor "Cisco" for product "Meraki Mx 14 Firmware"	< 14.25 Search vendor "Cisco" for product "Meraki Mx 14 Firmware" and version " < 14.25"	-	Affected	in	Cisco Search vendor "Cisco"	Meraki Mx Search vendor "Cisco" for product "Meraki Mx"	-	-	Safe
Cisco Search vendor "Cisco"	Meraki Mx 15 Firmware Search vendor "Cisco" for product "Meraki Mx 15 Firmware"	< 15.7 Search vendor "Cisco" for product "Meraki Mx 15 Firmware" and version " < 15.7"	-	Affected	in	Cisco Search vendor "Cisco"	Meraki Mx Search vendor "Cisco" for product "Meraki Mx"	-	-	Safe
Cisco Search vendor "Cisco"	Meraki Mx 13 Firmware Search vendor "Cisco" for product "Meraki Mx 13 Firmware"	< 13.32 Search vendor "Cisco" for product "Meraki Mx 13 Firmware" and version " < 13.32"	-	Affected	in	Cisco Search vendor "Cisco"	Meraki Z1 Search vendor "Cisco" for product "Meraki Z1"	-	-	Safe
Cisco Search vendor "Cisco"	Meraki Mx 14 Firmware Search vendor "Cisco" for product "Meraki Mx 14 Firmware"	< 14.25 Search vendor "Cisco" for product "Meraki Mx 14 Firmware" and version " < 14.25"	-	Affected	in	Cisco Search vendor "Cisco"	Meraki Z1 Search vendor "Cisco" for product "Meraki Z1"	-	-	Safe
Cisco Search vendor "Cisco"	Meraki Mx 15 Firmware Search vendor "Cisco" for product "Meraki Mx 15 Firmware"	< 15.7 Search vendor "Cisco" for product "Meraki Mx 15 Firmware" and version " < 15.7"	-	Affected	in	Cisco Search vendor "Cisco"	Meraki Z1 Search vendor "Cisco" for product "Meraki Z1"	-	-	Safe
Cisco Search vendor "Cisco"	Meraki Mx 13 Firmware Search vendor "Cisco" for product "Meraki Mx 13 Firmware"	< 13.32 Search vendor "Cisco" for product "Meraki Mx 13 Firmware" and version " < 13.32"	-	Affected	in	Cisco Search vendor "Cisco"	Meraki Z3 Search vendor "Cisco" for product "Meraki Z3"	-	-	Safe
Cisco Search vendor "Cisco"	Meraki Mx 14 Firmware Search vendor "Cisco" for product "Meraki Mx 14 Firmware"	< 14.25 Search vendor "Cisco" for product "Meraki Mx 14 Firmware" and version " < 14.25"	-	Affected	in	Cisco Search vendor "Cisco"	Meraki Z3 Search vendor "Cisco" for product "Meraki Z3"	-	-	Safe
Cisco Search vendor "Cisco"	Meraki Mx 15 Firmware Search vendor "Cisco" for product "Meraki Mx 15 Firmware"	< 15.7 Search vendor "Cisco" for product "Meraki Mx 15 Firmware" and version " < 15.7"	-	Affected	in	Cisco Search vendor "Cisco"	Meraki Z3 Search vendor "Cisco" for product "Meraki Z3"	-	-	Safe