Bug/Possible breach found in the dashboard. Order Number is visible to third parties.

MerryAki
Building a reputation

Bug/Possible breach found in the dashboard. Order Number is visible to third parties.

Hey there, 

I know that this might only apply for used devices, which are, in terms of the Meraki-ecosystem not existant, but I wanted to share my thoughts on the claim/unclaim inventory status page. It also applies to serial numbers that were accessible to the public etc.

So I wanted to add a couple of devices, which were in another dashboard, I will get the overview on whats going to be added, but i do also see the order number, before my claim was even confirmed. So as a possible attacker i would try to figure out the serial number in order to gain access to details such as the Meraki-Order-Nr. 

Given the fact that i have access to the order number i, as an imaginary "theft" could claim unused devices from that order.

 

I dont got a solution for that, but something like a helpdesk for the claim/unclaim procedure and a better interface would be great. In my opinion this is a possible data breach, but thats something thats visible to all engineers.
I would also add a "reclaim" function in case devices have been "annexed" using this method.

 

Description:
I add a serial number from another dashboard,

i confirm the license/network settings -> https://n12345.meraki.com/o/Organization-ID/manage/organization/license/claim_orders/assign_networks...

In the next screen i can see details, that should be protected (in my opinion, because using the order number Licenses, Devices that are unused could be "annexed")

MerryAki_0-1687860580714.png

As said, this also applies to devices that were operated by another dashboard:

MerryAki_0-1687860933173.png

Sorry, but some messages are in German 🇩🇪 btw.

 

Meraki Staff, in case you think this is inappropriate for the forum, please move/restrict it and contact me via DM, normally companies like Cisco should have a bug bounty programm 😋

 

TL;DR: I think some measurements in the claim process are good, like the time interval (~some claims per five minutes or so), but others are too weak or too strong.. 

4 Replies 4
GreenMan
Meraki Employee
Meraki Employee

If a serial number is already claimed into a Dashboard Organization, it's not possible to claim the order of which it is part, via the order number.

MerryAki
Building a reputation

No it's referring to individual devices which were unclaimed during device moving or are not yet claimed. I mean it's enough to have the serial number to gather dozen of serial numbers. I have submitted it at Bugcrowd.

ConnorL
Meraki Employee
Meraki Employee

FWIW, Meraki does indeed have a Bug Bounty program: https://bugcrowd.com/ciscomeraki 😃 however I believe this is outside of scope. As @GreenMan points out, if a serial from an order is claimed, the order number itself cannot be claimed.  

MerryAki
Building a reputation

I filed it on Bugcrowd including a screen recording and random serial numbers I found in online databases.

 

Think that's not too important for Meraki nowadays. But it will be at a certain point.

 

I prooved that I was able to claim a whole, foreign order by only looking up a single serial number. Those could be obtained by monitoring marketplaces, inventory databases/public listings etc.

 

Think that I will upload the video/instructions again outside Bugcrowd.

 

Screenshot_20230711-095411.png

Get notified when there are additional replies to this discussion.