Are Meraki devices vulnerable to the TCP SACK Kernel Panic DOS?

SOLVED
DonHey
Conversationalist

Are Meraki devices vulnerable to the TCP SACK Kernel Panic DOS?

1 ACCEPTED SOLUTION
jdsilva
Kind of a big deal

The description of the CVE says that you have to establish a connection to a device to exploit this. The MX simply routing traffic through it would not be affected. 

View solution in original post

3 REPLIES 3
jdsilva
Kind of a big deal

Interesting... I'll obviously defer to Meraki to answer this, but thinking out loud, and assuming I understand the description of the problem, you would first need to establish a TCP connection to a device before you could trigger it. I haven't port scanned a Meraki device for a while, but IIRC your only option here would be the local status page. Turning that off should mitigate this, unless there's other open TCP ports...

DonHey
Conversationalist

Thanks @jdsilva!

 

Since HTTP runs over TCP, and our MX250 routes traffic from the public Internet, it would be reassuring if Meraki would confirm we can't be DOS'd with TCP SACK. 🙂

jdsilva
Kind of a big deal

The description of the CVE says that you have to establish a connection to a device to exploit this. The MX simply routing traffic through it would not be affected. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels