Read-only admin can cycle switch ports???

sungod
Kind of a big deal

Read-only admin can cycle switch ports???

One of our customers contacted me after they had an issue with a switch port/connected device.

 

I was surprised when they told me they had cycled the port, they have only organization read access, they do not have any other permissions such as port management privileges.

 

I can see in the event log that the port was cycled a few times.

 

Is it really correct that a read-only admin can cycle ports? I would not expect read-only access to permit any impact on device operation.

 

17 Replies 17
DarrenOC
Kind of a big deal
Kind of a big deal

Have you tried labbing that one @sungod?  I’m a read only admin for one particular customer so will take a look to see if I can cycle a switch port

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
DarrenOC
Kind of a big deal
Kind of a big deal

Hi @sungod , yep, that worked and can see the switch port being cycled in the event log.

 

Agree that this shouldn’t be allowed as a Read Only admin

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
sungod
Kind of a big deal

Thanks for checking.

 

Guess I'll be opening yet another support case!

RaphaelL
Kind of a big deal
Kind of a big deal

Of course they can! 

 

I can't find my old post about that. There is a list of things that R-O 'admins' can do that makes 0 sense. Let me find it.

RaphaelL
Kind of a big deal
Kind of a big deal

Here it is: https://community.meraki.com/t5/Switching/Live-Tools/m-p/179117

 

Okay , it's not a loooong list , but cable test and port cycle shouldn't be available to RO admins. The fact that there is no logs at all it also a big joke.

DarrenOC
Kind of a big deal
Kind of a big deal

Ouch! Nearly been a year but that “feature” still remains.   

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
RaphaelL
Kind of a big deal
Kind of a big deal

I can probably paste my actual case here but they have a weird definition of 'dashboard admin'. 

 

They basicly said : working as expected , please make a wish/ feature request. 🙂 

 

Also we had one of our 400-500 dashboard "admin" that was doing 1-48 cable test during the day and that affecting videoconference rooms... we couldn't find the culprit since there are NO logs. What a fun time we had last year !

sungod
Kind of a big deal

'strewth!

 

Words fail me.

BlakeRichardson
Kind of a big deal
Kind of a big deal

Hmm theres a few odd things coming out, first the requirement for hardware to be part of a network to actually be "claimed" and now they fact RO admins can disrupt a network. I am not sure what part of read only isn't read only. 

 

I would like the ability to have far more detail in the logs, it should be able option that Org admins can enable if they wish to. For those that can read detailed logs it's most likely going to cut down on support cases being opened which saves Meraki money but also means customers / MSP can resolve their own issues.

 

Win win for both sides. 

sungod
Kind of a big deal

As expected, support say it's supposed to work like this, disappointing.

 

My response was that it's still incorrect behaviour and needs fixing, I asked them to escalate it.

 

Might be useful if a few more people could open a case for this, as it stands a malicious RO user with a bit of scripting knowledge could easily cause major problems across an organization.

 

We now have internal discussion to decide if/when we should start warning customers of the risk, as some of them want to have a lot of RO users.

 

DarrenOC
Kind of a big deal
Kind of a big deal

Put out a post on social media ie LinkedIn and forward your customers to this post and also reference your TAC support case number.  Might get some 👀 on it then.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
sungod
Kind of a big deal

Well, I just reported it as a vulnerability via Meraki's chosen route (bugcrowd), will see what happens.

 

Our internal security/systems people can decide what to do next with customers, I've more fun things I want to spend time on 🙂

 

sungod
Kind of a big deal

Well, I've exhausted options with Meraki support and their security vulnerability reporting process.

 

A read-only user has the ability to carry out a denial of service, Meraki position (stated via both channels) is that it is 'intended behaviour'.

 

Time to warn customers.

 

TonyC
Meraki Employee
Meraki Employee

Hi @sungod and Community! 

 

First – thanks for raising this as a topic. While we initially designed the read-only role to include a user's ability to troubleshoot, and port cycle (along with all live tools) is seen as falling into that permissible category, we also fully recognize that this may or may not be the desired behavior based on your own organizational IT policies.

 

We are reviewing and further evaluating how we may add an explicit option to enable or disable this so to put this decision in our users' hands. We'll follow up when we have an update to share to address this concern and feedback.

 

 

Thanks for being Meraki MS customers, we value each of you. Be in touch!

 

~tony

Product Management, Meraki Switching

sungod
Kind of a big deal

@TonyC 

 

thanks for the update.

 

The option to disable would be a solution as no one I've spoken to so far in our customers (we're an MSP) realises this is accessible to their read-only users.

 

RaphaelL
Kind of a big deal
Kind of a big deal

Something curious : 

 

https://documentation.meraki.com/MI/MI_WAN_Health

The speed tests are currently available for download speed only and can only be run by Dashboard Administrators who have writing configuration privileges.

 

How hard would it be to retrofit that logic to problematic features that RO users have ? ( port cycle , cable tests , reboot devices [...] )

RaphaelL
Kind of a big deal
Kind of a big deal

Now documented in : https://documentation.meraki.com/General_Administration/Managing_Dashboard_Access/Managing_Dashboard...

 

Read-Only admins can perform switch port cycles and cable tests

Get notified when there are additional replies to this discussion.