Vulnslist

find the latest Cisco vulnerabilities

Cisco Meraki Local Management Interface Firmware Installation Vulnerability

Cisco-SA-20141223-CVE-2014-7999 · Medium · Published · Updated

A vulnerability in the local management interface of devices running Cisco Meraki firmware could allow an authenticated, remote attacker on an adjacent network to access a deprecated HTTP handler to install firmware. An authenticated, remote attacker could exploit this vulnerability by authenticating to the local management interface and installing malicious firmware, overwriting the device configuration and possibly allowing the attacker to completely compromise the device. Cisco Meraki has confirmed the vulnerability and released software updates. An attacker must access networks adjacent to the targeted system to conduct an exploit, reducing the potential for attacks. In addition, the attacker must authenticate to the device's administrative interface, further limiting the potential for exploitation. Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.

Cisco advisory ·CSAF JSON

Workarounds

Administrators are advised to apply the appropriate updates.

Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

Administrators are advised to allow only trusted users to have network access.

Administrators are advised to monitor affected systems.

CVEsCVE-2014-7999
Cisco Bug IDsNA
CVSS ScoreBase 5.2
Base 5.2 AV:A/AC:M/Au:S/C:N/I:C/A:N/E:F/RL:OF/RC:C
Product Names From Source
Cisco Meraki MS Firmware, Cisco Meraki MR Firmware, Cisco Meraki MX Firmware

Related Products

Product CVE Evidence
Cisco Nexus Dashboard CVE-2014-7999 Cisco OpenVuln
Cisco Meraki MX security and SD-WAN appliances CVE-2014-7999 Cisco OpenVuln
Cisco Meraki MS Series Switches CVE-2014-7999 Cisco OpenVuln
Cisco Meraki Dashboard / Meraki firmware CVE-2014-7999 Cisco OpenVuln
Cisco Meraki MX Firmware CVE-2014-7999 Cisco OpenVuln
Cisco Meraki MS Firmware CVE-2014-7999 Cisco OpenVuln
Cisco Meraki MR Firmware CVE-2014-7999 Cisco OpenVuln