Bug/Possible breach found in the dashboard. Order Number is visible to third parties.

MerryAki
Building a reputation

Bug/Possible breach found in the dashboard. Order Number is visible to third parties.

Hey there, 

I know that this might only apply for used devices, which are, in terms of the Meraki-ecosystem not existant, but I wanted to share my thoughts on the claim/unclaim inventory status page. It also applies to serial numbers that were accessible to the public etc.

So I wanted to add a couple of devices, which were in another dashboard, I will get the overview on whats going to be added, but i do also see the order number, before my claim was even confirmed. So as a possible attacker i would try to figure out the serial number in order to gain access to details such as the Meraki-Order-Nr. 

Given the fact that i have access to the order number i, as an imaginary "theft" could claim unused devices from that order.

 

I dont got a solution for that, but something like a helpdesk for the claim/unclaim procedure and a better interface would be great. In my opinion this is a possible data breach, but thats something thats visible to all engineers.
I would also add a "reclaim" function in case devices have been "annexed" using this method.

 

Description:
I add a serial number from another dashboard,

i confirm the license/network settings -> https://n12345.meraki.com/o/Organization-ID/manage/organization/license/claim_orders/assign_networks...

In the next screen i can see details, that should be protected (in my opinion, because using the order number Licenses, Devices that are unused could be "annexed")

MerryAki_0-1687860580714.png

As said, this also applies to devices that were operated by another dashboard:

MerryAki_0-1687860933173.png

Sorry, but some messages are in German 🇩🇪 btw.

 

Meraki Staff, in case you think this is inappropriate for the forum, please move/restrict it and contact me via DM, normally companies like Cisco should have a bug bounty programm 😋

 

TL;DR: I think some measurements in the claim process are good, like the time interval (~some claims per five minutes or so), but others are too weak or too strong.. 

4 Replies 4
GreenMan
Meraki Employee
Meraki Employee

If a serial number is already claimed into a Dashboard Organization, it's not possible to claim the order of which it is part, via the order number.

MerryAki
Building a reputation

No it's referring to individual devices which were unclaimed during device moving or are not yet claimed. I mean it's enough to have the serial number to gather dozen of serial numbers. I have submitted it at Bugcrowd.

ConnorL
Meraki Employee
Meraki Employee

FWIW, Meraki does indeed have a Bug Bounty program: https://bugcrowd.com/ciscomeraki 😃 however I believe this is outside of scope. As @GreenMan points out, if a serial from an order is claimed, the order number itself cannot be claimed.  

MerryAki
Building a reputation

I filed it on Bugcrowd including a screen recording and random serial numbers I found in online databases.

 

Think that's not too important for Meraki nowadays. But it will be at a certain point.

 

I prooved that I was able to claim a whole, foreign order by only looking up a single serial number. Those could be obtained by monitoring marketplaces, inventory databases/public listings etc.

 

Think that I will upload the video/instructions again outside Bugcrowd.

 

Screenshot_20230711-095411.png

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.