Meraki

Community

Are Meraki devices vulnerable to the TCP SACK Kernel Panic DOS?

Solved
DonHey
Conversationalist
‎Jun 19 2019 6:43 AM
‎Jun 19 2019 6:43 AM

Are Meraki devices vulnerable to the TCP SACK Kernel Panic DOS?

https://access.redhat.com/security/vulnerabilities/tcpsack

0 Kudos
1 Accepted Solution
In response to DonHey
jdsilva
Kind of a big deal
‎Jun 24 2019 7:17 AM
‎Jun 24 2019 7:17 AM

The description of the CVE says that you have to establish a connection to a device to exploit this. The MX simply routing traffic through it would not be affected. 

http://blog.brokennetwork.ca | @jdsilva

View solution in original post

3 Replies 3
jdsilva
Kind of a big deal
‎Jun 19 2019 7:17 AM
‎Jun 19 2019 7:17 AM

Interesting... I'll obviously defer to Meraki to answer this, but thinking out loud, and assuming I understand the description of the problem, you would first need to establish a TCP connection to a device before you could trigger it. I haven't port scanned a Meraki device for a while, but IIRC your only option here would be the local status page. Turning that off should mitigate this, unless there's other open TCP ports...

http://blog.brokennetwork.ca | @jdsilva
In response to jdsilva
DonHey
Conversationalist
‎Jun 23 2019 6:21 AM
‎Jun 23 2019 6:21 AM

Thanks @jdsilva!

 

Since HTTP runs over TCP, and our MX250 routes traffic from the public Internet, it would be reassuring if Meraki would confirm we can't be DOS'd with TCP SACK. 🙂

0 Kudos
In response to DonHey
jdsilva
Kind of a big deal
‎Jun 24 2019 7:17 AM
‎Jun 24 2019 7:17 AM

The description of the CVE says that you have to establish a connection to a device to exploit this. The MX simply routing traffic through it would not be affected. 

http://blog.brokennetwork.ca | @jdsilva
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.